You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@tomcat.apache.org by bu...@apache.org on 2006/01/04 22:20:38 UTC

DO NOT REPLY [Bug 38128] New: - directory listings DoS

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128

           Summary: directory listings DoS
           Product: Tomcat 5
           Version: 5.5.14
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
        AssignedTo: tomcat-dev@jakarta.apache.org
        ReportedBy: rafaels@redhat.com


With directory listings enabled, multiple requests to a large directory can
cause tomcat to quickly run out of memory and die.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





------- Additional Comments From rafaels@redhat.com  2006-04-27 00:02 -------
Is there anything I can do to expidite the process? I would really like to see a
fix for the problem incorporated. Without some fix it is impossible to use the
directory listing feature when even moderately large directories are involved.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





------- Additional Comments From markt@apache.org  2006-04-26 21:04 -------
Patch is yet to be evaluated.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





------- Additional Comments From rafaels@redhat.com  2006-01-04 22:22 -------
Created an attachment (id=17328)
 --> (http://issues.apache.org/bugzilla/attachment.cgi?id=17328&action=view)
patch for caching directory listings

This patch addresses the DoS problem and significantly improves directory
listing performance.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





------- Additional Comments From rafaels@redhat.com  2006-04-26 13:48 -------
Does anyone know what the status regarding this patch is? I believe the problem
still affects the latest versions of tomcat.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128


yoavs@computer.org changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |WONTFIX




------- Additional Comments From yoavs@computer.org  2006-12-24 17:38 -------
There are a few things I dislike in this patch.

You shouldn't catch Throwables and then silently not handle them.  You shouldn't
even do that with Exceptions, but certainly not Throwables.  That by itself
means -1 on the patch as it stands currently.

Then there's the overall weight of the solution: adding a custom cache and tying
it into the default web.xml just for this case seems overweight.  I wonder if
there's an easier solution without caching, and certainly without a time-based
cache which means additional background processing.  One approach that comes to
mind is a no-op XSLT for customizations, as documented in
http://tomcat.apache.org/tomcat-5.0-doc/default-servlet.html#dir

Finally, as you probably know directory listings are easy to disable: see
http://marc.theaimsgroup.com/?l=tomcat-user&m=105525007220640&w=2 for example of
the one setting change required.  For others concerned about this DoS (and I
don't think there are any, seeing as how no one else has opined on this issue
and/or posted such a DoS on the mailing lists), they can simply disable
directory listings.

Because of these, I'm going to mark this particular patch as WONTFIX.  If
someone else wants strongly feels this patch should be applied as-is, they can
say so here.  Otherwise, maybe a more lightweight patch can be attached to the
issue (and the issue itself reopened), that is if anyone still cares.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





------- Additional Comments From rafaels@redhat.com  2006-12-26 07:56 -------
(In reply to comment #5)
> There are a few things I dislike in this patch.
> 
> You shouldn't catch Throwables and then silently not handle them.  You shouldn't
> even do that with Exceptions, but certainly not Throwables.  That by itself
> means -1 on the patch as it stands currently.

I agree that catching Throwable is a really bad idea, however the DefaultServlet
code does this repeatedly when accessing parameters from the servlet config. I
chose to keep the code consistent and follow the pattern already prevalent when
making this patch. I beleive it should be a simple matter to string replace
Throwable with a more appropriate exception in this code.

> Then there's the overall weight of the solution: adding a custom cache and tying
> it into the default web.xml just for this case seems overweight.  I wonder if
> there's an easier solution without caching, and certainly without a time-based
> cache which means additional background processing.  One approach that comes to
> mind is a no-op XSLT for customizations, as documented in
> http://tomcat.apache.org/tomcat-5.0-doc/default-servlet.html#dir
> 
> Finally, as you probably know directory listings are easy to disable: see
> http://marc.theaimsgroup.com/?l=tomcat-user&m=105525007220640&w=2 for example of
> the one setting change required.  For others concerned about this DoS (and I
> don't think there are any, seeing as how no one else has opined on this issue
> and/or posted such a DoS on the mailing lists), they can simply disable
> directory listings.
> 
> Because of these, I'm going to mark this particular patch as WONTFIX.  If
> someone else wants strongly feels this patch should be applied as-is, they can
> say so here.  Otherwise, maybe a more lightweight patch can be attached to the
> issue (and the issue itself reopened), that is if anyone still cares.

The caching this patch adds is not just a special purpose fix to eliminate a
DoS, it also significantly improves the performance of directory listings in the
general case. Please review my posts to the dev lists containing my benchmarks
comparing performance with and without the patch in place.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org

DO NOT REPLY [Bug 38128] - directory listings DoS

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=38128>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=38128





------- Additional Comments From yoavs@computer.org  2006-12-26 07:58 -------
Note I've also converted existing DefaultServlet catch(Throwable t) code to
catching exceptions.

I saw your mailing list messages, and I believe the benchmarks.  I still think
this approach is too heavyweight.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org