You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2023/06/12 14:56:06 UTC

[tomcat] branch 8.5.x updated: Expand security guidance to cover embedded usage

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch 8.5.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git


The following commit(s) were added to refs/heads/8.5.x by this push:
     new ea29465b75 Expand security guidance to cover embedded usage
ea29465b75 is described below

commit ea29465b751f8d58ee3b4363b2dd35123f4b19af
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jun 12 15:54:28 2023 +0100

    Expand security guidance to cover embedded usage
---
 webapps/docs/changelog.xml      |  9 +++++++++
 webapps/docs/security-howto.xml | 30 ++++++++++++++++++++++++++++++
 2 files changed, 39 insertions(+)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index ce1d7a9719..07534eef53 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,15 @@
       </fix>
     </changelog>
   </subsection>
+  <subsection name="Web applications">
+    <changelog>
+      <add>
+        Documentation. Expand the security guidance to cover the embedded use
+        case and add notes on the uses made of the <code>java.io.tmpdir</code>
+        system property. (markt)
+      </add>
+    </changelog>
+  </subsection>
 </section>
 <section name="Tomcat 8.5.90 (schultz)" rtext="release in progress">
   <subsection name="Catalina">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index 3d2a0a7eb9..eea42566e3 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -394,6 +394,13 @@
       <code>/*</code>. It should also be noted the RFC6265 section 8.5 makes it
       clear that different paths should not be considered sufficient to isolate
       cookies from other applications.</p>
+
+      <p>When <strong>antiResourceLocking</strong> is enabled, Tomcat will copy
+      the unpacked web application to the directory defined by the
+      <code>java.io.tmpdir</code> system property
+      (<code>$CATALINA_BASE/temp</code> by default). This location should be
+      secured with appropriate file permissions - typically read/write for the
+      Tomcat user and no access for other users.</p>
     </subsection>
 
     <subsection name="Valves">
@@ -562,6 +569,23 @@
     to be co-ordinated with any headers that the reverse proxy sets.</p>
   </section>
 
+  <section name="Embedded Tomcat">
+    <p>When using embedded Tomcat, the typical defaults provided by the scripts,
+    server.xml and other configuration are not set. Users of embedded Tomcat may
+    wish to consider the following:</p>
+    <ul>
+      <li>The listeners normally configured in server.xml, including
+      <code>org.apache.catalina.security.SecurityListener</code>, will not be
+      configured by default. They must be explicitly enabled if required.</li>
+      <li>The <code>java.io.tmpdir</code> will not be set (it is normally set to
+      <code>$CATALINA_BASE/temp</code>). This directory is used for various
+      temporary files that may be security sensitive including file uploads and
+      a copy of the web application if anti-resource locking is enabled.
+      Consider setting the <code>java.io.tmpdir</code> system property to an
+      appropriately secured directory.</li>
+    </ul>
+  </section>
+
   <section name="General">
     <p>BASIC and FORM authentication pass user names and passwords in clear
     text. Web applications using these authentication mechanisms with clients
@@ -572,6 +596,12 @@
     level of protection as the password itself. This usually means
     authenticating over SSL and continuing to use SSL until the session
     ends.</p>
+
+    <p>Tomcat's implementation of the Servlet API's file upload support may use
+    the directory defined by the <code>java.io.tmpdir</code> system property
+    (<code>$CATALINA_BASE/temp</code> by default) to store temporary files. This
+    location should be secured with appropriate file permissions - typically
+    read/write for the Tomcat user and no access for other users.</p>
   </section>
 
 </body>


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org