You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2017/09/05 07:10:35 UTC

[Bug 61489] New: Disable creation of command line parameters from GET parameters in the URL

https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

            Bug ID: 61489
           Summary: Disable creation of command line parameters from GET
                    parameters in the URL
           Product: Tomcat 9
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: jan0michael@yahoo.com
  Target Milestone: -----

Created attachment 35290
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35290&action=edit
Make creation of command line parameters from GET parameters optional

The CGI RFC says, that the server SHOULD create command line arguments from
certain GET parameters.

https://tools.ietf.org/html/rfc3875#section-4.4
4.4.  The Script Command Line


I don't like this, because I think, this can be a security risk in certain
cases.
I suggest to disable this feature by default, or at least allow to disable it
by configuration.

The proposed patch makes this feature configurable.
The line

private boolean enableCmdLineArguments = false;

makes the feature disabled by default. Putting "= true" would make it enabled
by default.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

--- Comment #3 from Christopher Schultz <ch...@christopherschultz.net> ---
I like the idea of locking this down, but requiring a rebuild-from-source to
change the setting isn't acceptable.

Can you add a new <init-param> to control this behavior?

+1 for making it DISABLED by default (i.e. DO NOT CREATE COMMAND-LINE ARGUMENTS
by default).

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

--- Comment #2 from jm009 <ja...@yahoo.com> ---
Created attachment 35293
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35293&action=edit
Make evaluation of enableCmdLineArguments in outer if.

In fact the evaluation of "boolean enableCmdLineArguments" can happen in the
outer if block.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> ---
(In reply to jm009 from comment #4)
> I don't understand...
> My patch already uses <init-param>.

Sorry, you are correct. I did not read the patch closely enough.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

Mark Thomas <ma...@apache.org> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|---                         |FIXED

--- Comment #6 from Mark Thomas <ma...@apache.org> ---
I've applied the patch but I do have some feedback for future patches that will
make applying your patches quicker and simpler for committers:
- Enable checkstyle and ensure the build is clean after your changes
- You'll want to configure your IDE to insert 4 spaces rather than a tab
- Patches that add configuration options should also include appropriate
additions to the documentation

To avoid breakage for existing users that may depend on this functionality, it
is only disabled by default in 9.0.x onwards.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

--- Comment #1 from jm009 <ja...@yahoo.com> ---
Why I suggest to disable this feature by default:

1) I never saw a servlet that uses this feature

2) I suppose, this feature comes from the beginnings of the internet, when
people wanted to run some system command by clicking on a link, and the term
"security" was not yet used in computer science :-)

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

--- Comment #8 from Mark Thomas <ma...@apache.org> ---
np and thanks for the patch - just realised I forgot to say that before.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

Christopher Schultz <ch...@christopherschultz.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
           Keywords|                            |PatchAvailable

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

--- Comment #7 from jm009 <ja...@yahoo.com> ---
Thank you for the feedback and for applying the patch.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

jm009 <ja...@yahoo.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
            Summary|Disable creation of command |Disable creation of command
                   |line parameters from GET    |line parameters from GET
                   |parameters in the URL       |parameters in the URL for
                   |                            |CGIServlet

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

[Bug 61489] Disable creation of command line parameters from GET parameters in the URL for CGIServlet

Posted by bu...@apache.org.
https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

--- Comment #4 from jm009 <ja...@yahoo.com> ---
I don't understand...
My patch already uses <init-param>.

The patch as it is makes the feature disabled by default.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org