You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2019/12/17 09:47:57 UTC
[Bug 64008] New: Tomcat ignores default web.xml and falls back to
hard-coded defaults
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008
Bug ID: 64008
Summary: Tomcat ignores default web.xml and falls back to
hard-coded defaults
Product: Tomcat 8
Version: 8.5.50
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: emergency.shower@gmail.com
Target Milestone: ----
We use embedded Tomcat and deploy a web app programatically using the
addWebapp(Host, String, String, LifecycleListener) method.
The LifecycleListener is a ContextConfig that has a default web.xml configured
that should prevent the JSPServlet from being loaded.
Other than expected, it turns out that addWebapp actively ignores the
configured default web.xml and Tomcat instead loads statically hard-coded
default configuration that includes the JSPServlet and servlet mappings for it.
This behaviour led to a remote code execution vulnerability in one of our
products.
The code below shows how Tomcat is initialized.
final Tomcat tomcat;
// ...
final ContextConfig contextConfig = new ContextConfig();
contextConfig.setDefaultWebXml(getDefaultWebXml());
final Context ctx = tomcat.addWebapp
(host, getContextPath(), getDocBaseDir(), (LifecycleListener)contextConfig);
// ...
tomcat.start();
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64008] Tomcat ignores default web.xml and falls back to
hard-coded defaults
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008
--- Comment #2 from Mark Thomas <ma...@apache.org> ---
The class level Javadoc does document that the various addWebapp methods
configure the Default Servlet, JSP servlet etc. The LifecycleListener in
#addWebapp(Host, String, String, LifecycleListener) is intended for additional
configuration rather than as a complete replacement.
I'll go through the Javadoc and try and make this clearer.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64008] Tomcat ignores default web.xml and falls back to
hard-coded defaults
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008
--- Comment #3 from emergency.shower@gmail.com ---
https://bz.apache.org/bugzilla/show_bug.cgi?id=62755 seems to be a related
issue.
It seems that the provided fix did not make it into the Tomcat codebase.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64008] Tomcat ignores default web.xml and falls back to
hard-coded defaults
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Resolution|--- |FIXED
Status|NEW |RESOLVED
--- Comment #5 from Mark Thomas <ma...@apache.org> ---
Javadoc updated in:
- master for 9.0.31 onwards
- 8.5.x for 8.5.51 onwards
- 7.0.x for 7.0.100 onwards
I also back-ported the enhancement in 62755 to 8.5.x and 7.0.x.
With the current API in 8.5.x, if you don't want the JSP servlet then one
option is to use addContext() and configure everything manually. Further help
and advice is available via the users mailing list if required.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64008] Tomcat ignores default web.xml and falls back to
hard-coded defaults
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008
--- Comment #4 from emergency.shower@gmail.com ---
(In reply to Mark Thomas from comment #2)
> The class level Javadoc does document that the various addWebapp methods
> configure the Default Servlet, JSP servlet etc. The LifecycleListener in
> #addWebapp(Host, String, String, LifecycleListener) is intended for
> additional configuration rather than as a complete replacement.
>
> I'll go through the Javadoc and try and make this clearer.
Is there a documented way to safely deploy a web app in embedded Tomcat without
having the JspServlet added?
I've tried to override classes, but a mixture of static and private methods
prevented me from getting a clean implementation.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
[Bug 64008] Tomcat ignores default web.xml and falls back to
hard-coded defaults
Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=64008
--- Comment #1 from Remy Maucherat <re...@apache.org> ---
*** Bug 64009 has been marked as a duplicate of this bug. ***
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org