You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Alexander Diedler <ad...@tecracer.de> on 2009/06/11 08:51:13 UTC
Tomcat 6.0.18 access files case-insensitive
Hello,
We have an Application based on IIS 6.0 and Tomcat 6.0.18. In this
Application will be opened a PDF (href=start.PDF). In this PDF are many
links to other documents, that will be opened in the browser. (KapA.PDF,
KapB.PDF). Now the distributor deliver updatefiles with changing extensions
or names. The link is KapA.PDF in the overview, but the file is called
KapA.pdf on filesystem and Tomcat said 404 because "PDF" not equal "pdf".
Also it can be kapb.pdf in Overview and filesystem KAPB.PDF
Is there are any option to disable case-sensitive on Tomcat or it is a
"base-feature" of Java architecture?
Greetings
Alexander
Re: Tomcat 6.0.18 access files case-insensitive
Posted by Mark Thomas <ma...@apache.org>.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Should the first phrase not read
>> "If the value of this flag is true, all case sensitivity checks will be
>> *enabled*."
>
> Agreed.
Fixed for 4.1.x, 5.5.x, 6.0.x & trunk. Will be in the next releases of each.
All this time and no-one noticed...
Mark
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by Mark Thomas <ma...@apache.org>.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Tomcat 6.0.18 access files case-insensitive
>>
>> Since the filesystem is case-sensitive, it may well have both
>> "abc.html" and "ABC.HTML" in the same directory. So which one
>> would it pick to keep ?
>
> Presumably the first or last one encountered. A clever algorithm could keep them all (via a case-insensitive hash) and then try for an exact match; if that failed, pick one. Would seem like a lot of work for little benefit.
>
>> So, back to the Tomcat developers. What /is/ the point of the
>> caseSensitive attribute in the <Context> element ?
>
> Inquiring minds want to know...
As far as I can tell from the archives, it was introduced as a backwards
compatibility option for Tomcat 3.1.1 when Tomcat was made case
sensitive on Windows for security reasons. [1]
It this is correct, it is probably safe to remove it by now ;)
I've made a proposal to do just that for Tomcat 7 on the dev list. [2]
Mark
[1] http://markmail.org/message/6o6w2wpgqcys6vwx
[2] http://markmail.org/message/nl7usm7345wh2vvg
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>
> Presumably the first or last one encountered. ...
Or it could just pick a random file in the directory, whether it matches
something or not. After all, you were saying that this would only
affect lazy clients or bad programmers.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18 access files case-insensitive
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Tomcat 6.0.18 access files case-insensitive
>
> Since the filesystem is case-sensitive, it may well have both
> "abc.html" and "ABC.HTML" in the same directory. So which one
> would it pick to keep ?
Presumably the first or last one encountered. A clever algorithm could keep them all (via a case-insensitive hash) and then try for an exact match; if that failed, pick one. Would seem like a lot of work for little benefit.
> So, back to the Tomcat developers. What /is/ the point of the
> caseSensitive attribute in the <Context> element ?
Inquiring minds want to know...
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat 6.0.18 access files case-insensitive
Posted by André Warnier <aw...@ice-sa.com>.
Tim Funk wrote:
> Its there "for convenience" (and been there "forever") - but it is a
> great big security whole if we ignore case (Try asking for
> /web-INF/wEb.xml - or even more evil "/web-INF/wEb.xm%6c")
>
Ok. My point (at the end) was : there does not seem to be a real
"useful use" for /ever/ setting this to false.
Under Windows, you should'nt.
And under any OS which has a case-sensitive filesystem, it does not seem
to achieve anything useful basically.
So why even keep it, and have it documented ?
Just set it to true internally and be done with it.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by Tim Funk <fu...@apache.org>.
Its there "for convenience" (and been there "forever") - but it is a
great big security whole if we ignore case (Try asking for
/web-INF/wEb.xml - or even more evil "/web-INF/wEb.xm%6c")
-Tim
André Warnier wrote:
> Even that wouldn't work.
> Since the filesystem is case-sensitive, it may well have both
> "abc.html" and "ABC.HTML" in the same directory. So which one would it
> pick to keep ?
>
> So, back to the Tomcat developers. What /is/ the point of the
> caseSensitive attribute in the <Context> element ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>> Subject: Re: Tomcat 6.0.18 access files case-insensitive
>>
>> Now if the attribute is false, does that mean that Tomcat will try all
>> possible case variations between "abc.html" and "ABC.HTML" before it
>> gives up ?
>
> I just looked at the code in FileDirContext.java (and related classes), and it does not seem to. It wouldn't have to try all variations; it could simply use the String.equalsIgnoreCase() method on each entry in the directory of interest, or force everything to one case or another when it builds its internal lookup table - but I couldn't find anything like that going on.
>
Even that wouldn't work.
Since the filesystem is case-sensitive, it may well have both "abc.html"
and "ABC.HTML" in the same directory. So which one would it pick to keep ?
So, back to the Tomcat developers. What /is/ the point of the
caseSensitive attribute in the <Context> element ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18 access files case-insensitive
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Tomcat 6.0.18 access files case-insensitive
>
> Now if the attribute is false, does that mean that Tomcat will try all
> possible case variations between "abc.html" and "ABC.HTML" before it
> gives up ?
I just looked at the code in FileDirContext.java (and related classes), and it does not seem to. It wouldn't have to try all variations; it could simply use the String.equalsIgnoreCase() method on each entry in the directory of interest, or force everything to one case or another when it builds its internal lookup table - but I couldn't find anything like that going on.
> And otherwise, what's the point ?
You got me.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat 6.0.18 access files case-insensitive
Posted by André Warnier <aw...@ice-sa.com>.
Caldarale, Charles R wrote:
>> From: André Warnier [mailto:aw@ice-sa.com]
>
>> I also wonder what the purpose of this attribute really is, in fact.
>> Should this not always be left to "case sensitive = true" ?
>
> Unless you're begging for trouble, or have a really, really sloppy programming staff.
>
>> - but under a case-sensitive filesystem, what would be a good reason to
>> set it to "false" ?
>
> Extremely lazy users, or non-browser clients that were badly and inconsistently programmed.
>
Well, just follow me for a minute.
Suppose we do have a case-sensitive filesystem, and we set this
attribute to false.
The URL is case-sensitive anyway. Or rather, let's say that it is
treated "as is".
Now suppose there exists a file in the (case-sensitive) filesystem
called "ABC.HTML".
And suppose the client asks for "/abc.html".
Now if the attribute is false, does that mean that Tomcat will try all
possible case variations between "abc.html" and "ABC.HTML" before it
gives up ?
And otherwise, what's the point ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
RE: Tomcat 6.0.18 access files case-insensitive
Posted by "Caldarale, Charles R" <Ch...@unisys.com>.
> From: André Warnier [mailto:aw@ice-sa.com]
> Subject: Re: Tomcat 6.0.18 access files case-insensitive
>
> So apparently Tomcat does not just use the standard Windows
> file..open function, it runs additional checks.
Tomcat doesn't use Windows anything, it uses the JRE methods. Underlying those are calls to Windows APIs. Once the File object is created, by default it does check that the requested name exactly matches the found name.
> I personally find this paragraph rather obscure
It's not obscure, it's wrong; the first sentence is backwards, as you noticed.
> Should the first phrase not read
> "If the value of this flag is true, all case sensitivity checks will be
> *enabled*."
Agreed.
> I also wonder what the purpose of this attribute really is, in fact.
> Should this not always be left to "case sensitive = true" ?
Unless you're begging for trouble, or have a really, really sloppy programming staff.
> - but under a case-sensitive filesystem, what would be a good reason to
> set it to "false" ?
Extremely lazy users, or non-browser clients that were badly and inconsistently programmed.
- Chuck
THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat 6.0.18 access files case-insensitive
Posted by André Warnier <aw...@ice-sa.com>.
Markus Schönhaber wrote:
> André Warnier:
>
>> the filesystem which matters. If the filesystem is case-insensitive, it
>> doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ?
>
> No. Try
> http://localhost:8080/tomcat.gif
> and
> http://localhost:8080/tomcaT.gif
> with a default Tomcat install.
>
Sorry, I was only reasoning this platonically.
And apparently I was wrong, at least on my Windows Tomcat 5.5.
The second access above gives a 404.
So what's the deal again ?
Under Windows, one can create a file named "tomcat.gif" OR "tomcaT.gif",
and the filesystem will effectively record the filename with the
capitalisation as given when creating the file.
Suppose I have created it as "tomcat.gif".
With a text editor (or whatever) I can open this file by specifying (in
the File..open dialog), a name typed in as "tomcaT.gif" (I just tried).
Thus at that level it is case-insensitive.
I can also not create another file in the same directory, named
"tomcaT.gif". If I try, I get a message saying that a file with the
same name already exists (meaning the "tomcat.gif"). Thus at that level
also it is case-insensitive.
However, via Tomcat (like the above link), if I specify a URL of
"tomcaT.gif", I get a 404.
So apparently Tomcat does not just use the standard Windows file..open
function, it runs additional checks.
Good.
Because if it did not, then I could request /myapp/web-inf/anything and
get it, bypassing the /WEB-INF/ protection.
In the Tomcat on-line documentation, both for 5.5. and 6.0, for the
Context element, I find the following explanation for the attribute
"caseSensitive" :
"If the value of this flag is true, all case sensitivity checks will be
disabled. If not specified, the default value of the flag is true.
NOTE: This flag MUST NOT be set to false on the Windows platform (or any
other OS which does not have a case sensitive filesystem), as it will
disable case sensitivity checks, allowing JSP source code disclosure,
among other security problems."
I personally find this paragraph rather obscure, since the first and
third phrase seem to contradict eachother.
In the 1st one it says that, if set to true, all case sensitivity checks
will be disabled. (true -> disabled)
In the third, it says that setting it to false will disable case
sensitivity checks. (false -> disabled)
So both true and false disable case-sensitivity checks.
Mmmmm.. in the quantum realm maybe, but in Tomcat ?
Should the first phrase not read
"If the value of this flag is true, all case sensitivity checks will be
*enabled*."
?
I also wonder what the purpose of this attribute really is, in fact.
Should this not always be left to "case sensitive = true" ?
- under Windows or any case-insensitive filesystem, it should be left to
"true". Ok, understandable.
- but under a case-sensitive filesystem, what would be a good reason to
set it to "false" ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by Markus Schönhaber <to...@list-post.mks-mail.de>.
Markus Schönhaber:
> André Warnier:
>
>> the filesystem which matters. If the filesystem is case-insensitive, it
>> doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ?
>
> No. Try
Hm, re-reading the way you asked the question, this should be "Yes, it
does matter" instead of "No". ;-)
--
Regards
mks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by Markus Schönhaber <to...@list-post.mks-mail.de>.
André Warnier:
> the filesystem which matters. If the filesystem is case-insensitive, it
> doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ?
No. Try
http://localhost:8080/tomcat.gif
and
http://localhost:8080/tomcaT.gif
with a default Tomcat install.
--
Regards
mks
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by André Warnier <aw...@ice-sa.com>.
Christopher Schultz wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> André,
>
> On 6/11/2009 6:32 AM, André Warnier wrote:
>> It's not a "base feature" of either Java or Tomcat, it's a base feature
>> of the OS. Windows filesystems are (relatively, see below)
>> case-insensitive, Unix/Linux are absolutely case-sensitive. Since Java
>> and Java applications are supposed to run on both, they have to choose.
>> By default, Tomcat acts case-sensitive.
>
> And furthermore, URLs themselves are case-sensitive (see HTTP/1.1
> section 3.2.3).
>
Nitpicking :
Well, yes. But in this case it is the mapping of a URL to an object on
the filesystem which matters. If the filesystem is case-insensitive, it
doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ?
Or am I forgetting something ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by Christopher Schultz <ch...@christopherschultz.net>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
André,
On 6/11/2009 6:32 AM, André Warnier wrote:
> It's not a "base feature" of either Java or Tomcat, it's a base feature
> of the OS. Windows filesystems are (relatively, see below)
> case-insensitive, Unix/Linux are absolutely case-sensitive. Since Java
> and Java applications are supposed to run on both, they have to choose.
> By default, Tomcat acts case-sensitive.
And furthermore, URLs themselves are case-sensitive (see HTTP/1.1
section 3.2.3).
- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iEYEARECAAYFAkoxOscACgkQ9CaO5/Lv0PBuPACeKpsGx2B+jqIdxNTDTvZDWs3d
jvMAn3HjwDaZgatfhBHHagdiawl71r2W
=1I5s
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by André Warnier <aw...@ice-sa.com>.
Alexander Diedler wrote:
> Hello,
>
> We have an Application based on IIS 6.0 and Tomcat 6.0.18. In this
> Application will be opened a PDF (href=start.PDF). In this PDF are many
> links to other documents, that will be opened in the browser. (KapA.PDF,
> KapB.PDF). Now the distributor deliver updatefiles with changing extensions
> or names. The link is KapA.PDF in the overview, but the file is called
> KapA.pdf on filesystem and Tomcat said 404 because "PDF" not equal "pdf".
> Also it can be kapb.pdf in Overview and filesystem KAPB.PDF
>
> Is there are any option to disable case-sensitive on Tomcat or it is a
> "base-feature" of Java architecture?
>
It's not a "base feature" of either Java or Tomcat, it's a base feature
of the OS. Windows filesystems are (relatively, see below)
case-insensitive, Unix/Linux are absolutely case-sensitive. Since Java
and Java applications are supposed to run on both, they have to choose.
By default, Tomcat acts case-sensitive.
You can disable that, but I would be very careful if I was you, because
you may trigger a whole bunch of other problems, for instance with
access security.
The real problem here is the inconsistency of the original documents.
You should tell your supplier to be consistent. Or else, you should
filter the documents when you receive them, and replace the links by
consistent ones. There exists PDF-handling softare that allows you to
do that kind of thing.
Or else, you should implement a servlet filter which takes care of these
links in particular, and make sure that when /you/ write documents to
your filesystem, you always write them in a consistent way.
Even under Windows, you can /force/ filenames to be all lowercase on
disk. Windows creates and stores filenames in the upper/lower case that
you specify. It is just at retrieval time that Windows acts in a
case-insensitive fashion.
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Posted by Tim Funk <fu...@apache.org>.
See |caseSensitive| here
http://tomcat.apache.org/tomcat-6.0-doc/config/context.html
But doing so makes your installation VERY insecure in a windows
environment. (Since ACL's can be bypassed since most ACL rules are case
sensitive)
I performance is of no concern - you could go crazy and force all URL's
to lower case (using a filter to 30X redirects) then your ACL rules can
be "simplified". But even that idea might have some flaws in it.
-Tim
Alexander Diedler wrote:
>
> Hello,
>
> We have an Application based on IIS 6.0 and Tomcat 6.0.18. In this
> Application will be opened a PDF (href=start.PDF). In this PDF are
> many links to other documents, that will be opened in the browser.
> (KapA.PDF, KapB.PDF). Now the distributor deliver updatefiles with
> changing extensions or names. The link is KapA.PDF in the overview,
> but the file is called KapA.pdf on filesystem and Tomcat said 404
> because “PDF” not equal “pdf”. Also it can be kapb.pdf in Overview and
> filesystem KAPB.PDF
>
> Is there are any option to disable case-sensitive on Tomcat or it is a
> “base-feature” of Java architecture?
>
> Greetings
>
> Alexander
>
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org