You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Greg Huber <gr...@gmail.com> on 2024/03/10 10:50:23 UTC

reloading context with manager-script

Hello,

Using http://tomcat/manager-app/text/reload?path=/

When I reload an application (in java), I get a reply

OK - Reloaded application at context path [/]

but when the application is not present I get this reply:

FAIL - No context exists named [&#47;]

Is it intentional that the fail shows the ascii code rather than the 
slash like on the OK?

Re: reloading context with manager-script

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mark,

On 3/14/24 07:57, Mark Thomas wrote:
> On 12/03/2024 13:47, Christopher Schultz wrote:
>> Greg and Mark,
>>
>> On 3/12/24 05:00, Greg Huber wrote:
>>> On 11/03/2024 18:17, Christopher Schultz wrote:
>>>> Mark,
>>>>
>>>> On 3/10/24 08:49, Mark Thomas wrote:
>>>>> On 10/03/2024 10:50, Greg Huber wrote:
>>>>>> Hello,
>>>>>>
>>>>>> Using http://tomcat/manager-app/text/reload?path=/
>>>>>>
>>>>>> When I reload an application (in java), I get a reply
>>>>>>
>>>>>> OK - Reloaded application at context path [/]
>>>>>>
>>>>>> but when the application is not present I get this reply:
>>>>>>
>>>>>> FAIL - No context exists named [&#47;]
>>>>>>
>>>>>> Is it intentional that the fail shows the ascii code rather than 
>>>>>> the slash like on the OK?
>>>>>
>>>>> Yes.
>>>>>
>>>>> If the provided context exists then we know that the name is HTML 
>>>>> safe since all valid context names are HTML safe. In this case 
>>>>> there is no escaping.
>>>>>
>>>>> If the context does not exist then the provided content name may 
>>>>> not be HTML safe (it could be a deliberate XSS attempt) hence it is 
>>>>> escaped.
>>>>
>>>> What is the Content-Type of the response? The URL implies that it's 
>>>> a text interface, not HTML.
>>  >
>>  > Running it on the browser I get
>>  >
>>  > Content-Type : text/plain;charset=utf-8
>>
>> Yeah, that's what I was expecting.
>>
>> I think HTML escaping is not appropriate, here.
> 
> Agreed. The challenge is that you don't have the context to determine if 
> the request originates from the HTMLManagerServlet.
> 
> It may be possible to refactor the escaping so it happens in 
> HTMLManagerServlet instead.

Okay, that's fair.

We also might be able to sniff the content-type from the code generating 
the response to decide whether or not to HTML-escape.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: reloading context with manager-script

Posted by Mark Thomas <ma...@apache.org>.

On 12/03/2024 13:47, Christopher Schultz wrote:
> Greg and Mark,
> 
> On 3/12/24 05:00, Greg Huber wrote:
>> On 11/03/2024 18:17, Christopher Schultz wrote:
>>> Mark,
>>>
>>> On 3/10/24 08:49, Mark Thomas wrote:
>>>> On 10/03/2024 10:50, Greg Huber wrote:
>>>>> Hello,
>>>>>
>>>>> Using http://tomcat/manager-app/text/reload?path=/
>>>>>
>>>>> When I reload an application (in java), I get a reply
>>>>>
>>>>> OK - Reloaded application at context path [/]
>>>>>
>>>>> but when the application is not present I get this reply:
>>>>>
>>>>> FAIL - No context exists named [&#47;]
>>>>>
>>>>> Is it intentional that the fail shows the ascii code rather than 
>>>>> the slash like on the OK?
>>>>
>>>> Yes.
>>>>
>>>> If the provided context exists then we know that the name is HTML 
>>>> safe since all valid context names are HTML safe. In this case there 
>>>> is no escaping.
>>>>
>>>> If the context does not exist then the provided content name may not 
>>>> be HTML safe (it could be a deliberate XSS attempt) hence it is 
>>>> escaped.
>>>
>>> What is the Content-Type of the response? The URL implies that it's a 
>>> text interface, not HTML.
>  >
>  > Running it on the browser I get
>  >
>  > Content-Type : text/plain;charset=utf-8
> 
> Yeah, that's what I was expecting.
> 
> I think HTML escaping is not appropriate, here.

Agreed. The challenge is that you don't have the context to determine if 
the request originates from the HTMLManagerServlet.

It may be possible to refactor the escaping so it happens in 
HTMLManagerServlet instead.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: reloading context with manager-script

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Greg and Mark,

On 3/12/24 05:00, Greg Huber wrote:
> On 11/03/2024 18:17, Christopher Schultz wrote:
>> Mark,
>>
>> On 3/10/24 08:49, Mark Thomas wrote:
>>> On 10/03/2024 10:50, Greg Huber wrote:
>>>> Hello,
>>>>
>>>> Using http://tomcat/manager-app/text/reload?path=/
>>>>
>>>> When I reload an application (in java), I get a reply
>>>>
>>>> OK - Reloaded application at context path [/]
>>>>
>>>> but when the application is not present I get this reply:
>>>>
>>>> FAIL - No context exists named [&#47;]
>>>>
>>>> Is it intentional that the fail shows the ascii code rather than the 
>>>> slash like on the OK?
>>>
>>> Yes.
>>>
>>> If the provided context exists then we know that the name is HTML 
>>> safe since all valid context names are HTML safe. In this case there 
>>> is no escaping.
>>>
>>> If the context does not exist then the provided content name may not 
>>> be HTML safe (it could be a deliberate XSS attempt) hence it is escaped.
>>
>> What is the Content-Type of the response? The URL implies that it's a 
>> text interface, not HTML.
 >
 > Running it on the browser I get
 >
 > Content-Type : text/plain;charset=utf-8

Yeah, that's what I was expecting.

I think HTML escaping is not appropriate, here.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: reloading context with manager-script

Posted by Greg Huber <gr...@gmail.com>.

Running it on the browser I get

Content-Type : text/plain;charset=utf-8

On 11/03/2024 18:17, Christopher Schultz wrote:
> Mark,
>
> On 3/10/24 08:49, Mark Thomas wrote:
>> On 10/03/2024 10:50, Greg Huber wrote:
>>> Hello,
>>>
>>> Using http://tomcat/manager-app/text/reload?path=/
>>>
>>> When I reload an application (in java), I get a reply
>>>
>>> OK - Reloaded application at context path [/]
>>>
>>> but when the application is not present I get this reply:
>>>
>>> FAIL - No context exists named [&#47;]
>>>
>>> Is it intentional that the fail shows the ascii code rather than the 
>>> slash like on the OK?
>>
>> Yes.
>>
>> If the provided context exists then we know that the name is HTML 
>> safe since all valid context names are HTML safe. In this case there 
>> is no escaping.
>>
>> If the context does not exist then the provided content name may not 
>> be HTML safe (it could be a deliberate XSS attempt) hence it is escaped.
>
> What is the Content-Type of the response? The URL implies that it's a 
> text interface, not HTML.
>
> -chris
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>

Re: reloading context with manager-script

Posted by Christopher Schultz <ch...@christopherschultz.net>.

Mark,

On 3/10/24 08:49, Mark Thomas wrote:
> On 10/03/2024 10:50, Greg Huber wrote:
>> Hello,
>>
>> Using http://tomcat/manager-app/text/reload?path=/
>>
>> When I reload an application (in java), I get a reply
>>
>> OK - Reloaded application at context path [/]
>>
>> but when the application is not present I get this reply:
>>
>> FAIL - No context exists named [&#47;]
>>
>> Is it intentional that the fail shows the ascii code rather than the 
>> slash like on the OK?
> 
> Yes.
> 
> If the provided context exists then we know that the name is HTML safe 
> since all valid context names are HTML safe. In this case there is no 
> escaping.
> 
> If the context does not exist then the provided content name may not be 
> HTML safe (it could be a deliberate XSS attempt) hence it is escaped.

What is the Content-Type of the response? The URL implies that it's a 
text interface, not HTML.

-chris

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org

Re: reloading context with manager-script

Posted by Greg Huber <gr...@gmail.com>.

OK, thanks.  Something I can deal with in my app.

On Sun, 10 Mar 2024 at 12:49, Mark Thomas <ma...@apache.org> wrote:

> On 10/03/2024 10:50, Greg Huber wrote:
> > Hello,
> >
> > Using http://tomcat/manager-app/text/reload?path=/
> >
> > When I reload an application (in java), I get a reply
> >
> > OK - Reloaded application at context path [/]
> >
> > but when the application is not present I get this reply:
> >
> > FAIL - No context exists named [&#47;]
> >
> > Is it intentional that the fail shows the ascii code rather than the
> > slash like on the OK?
>
> Yes.
>
> If the provided context exists then we know that the name is HTML safe
> since all valid context names are HTML safe. In this case there is no
> escaping.
>
> If the context does not exist then the provided content name may not be
> HTML safe (it could be a deliberate XSS attempt) hence it is escaped.
>
> Mark
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

Re: reloading context with manager-script

Posted by Mark Thomas <ma...@apache.org>.

On 10/03/2024 10:50, Greg Huber wrote:
> Hello,
> 
> Using http://tomcat/manager-app/text/reload?path=/
> 
> When I reload an application (in java), I get a reply
> 
> OK - Reloaded application at context path [/]
> 
> but when the application is not present I get this reply:
> 
> FAIL - No context exists named [&#47;]
> 
> Is it intentional that the fail shows the ascii code rather than the 
> slash like on the OK?

Yes.

If the provided context exists then we know that the name is HTML safe 
since all valid context names are HTML safe. In this case there is no 
escaping.

If the context does not exist then the provided content name may not be 
HTML safe (it could be a deliberate XSS attempt) hence it is escaped.

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org