Bug#294707: tomcat4: Tomcat ignores "allowLinking" resource on restart (not reload) from manager

Sergey Sholokh Sergey Sholokh <sergey@guard.kiev.ua>, 294707@bugs.debian.org
Fri Feb 11 02:24:07 2005


This is a multi-part MIME message sent by reportbug.

--===============1566447498==
Content-Type: text/plain; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: inline

Package: tomcat4
Version: 4.1.31-local-3
Severity: important
Tags: patch

Tomcat forgets "allowLinking" resource on restart from manager
interface.
Quick investigation has shown - during stop "allowLinking" resetting to
false and the system startup will fail.
I have found that bug in tomcat maillist
(http://issues.apache.org/bugzilla/show_bug.cgi?id=21818)
In HEAD that bug is fixed.
But in debian package not yet :-(

I have stolen a patch fron CVS and apply to source from debian package.
After install that package I had pass some test with restart
application from manager (I use log4j symlink in WEB-INF in my webapp). Its work fine. 


-- System Information:
Debian Release: 3.1
  APT prefers testing
  APT policy: (500, 'testing')
Architecture: i386 (i686)
Kernel: Linux 2.6.10-dl380-g3.guard
Locale: LANG=C, LC_CTYPE=C (charmap=ANSI_X3.4-1968)

Versions of packages tomcat4 depends on:
ii  adduser                   3.59           Add and remove users and groups
ii  apache2-common            2.0.52-3       Next generation, scalable, extenda
ii  libtomcat4-java           4.1.31-local-3 Java Servlet engine -- core librar
ii  sun-j2sdk1.5 [java-compil 1.5.0+update01 Java(TM) 2 SDK, Standard Edition, 
ii  sun-j2sdk1.5debian [java- 0.18           Debian specific parts of Java(TM) 

-- no debconf information


The patch:


diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java	2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java	2005-02-10 16:39:03.000000000 +0200
@@ -82,7 +82,7 @@
  *
  * @author Craig R. McClanahan
  * @author Remy Maucherat
- * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $
+ * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $
  */
 
 public class StandardContext
@@ -134,7 +134,6 @@
      */
     private boolean available = false;
 
-
     /**
      * The Locale to character set mapper for this application.
      */
@@ -417,6 +416,24 @@
 
 
     /**
+     * Case sensitivity.
+     */
+    protected boolean caseSensitive = true;
+
+
+    /**
+     * Allow linking.
+     */
+    protected boolean allowLinking = false;
+
+
+    /**
+     * Cache TTL in ms.
+     */
+    protected int cacheTTL = 5000;
+
+
+    /**
      * Caching allowed flag.
      */
     protected boolean cachingAllowed = true;
@@ -427,6 +444,7 @@
      */
     protected DirContext webappResources = null;
 
+    
 
     // ----------------------------------------------------- Context Properties
 
@@ -447,6 +465,55 @@
     }
 
 
+
+    /**
+     * Set case sensitivity.
+     */
+    public void setCaseSensitive(boolean caseSensitive) {
+        this.caseSensitive = caseSensitive;
+    }
+
+
+    /**
+     * Is case sensitive ?
+     */
+    public boolean isCaseSensitive() {
+        return caseSensitive;
+    }
+
+
+    /**
+     * Set allow linking.
+     */
+    public void setAllowLinking(boolean allowLinking) {
+        this.allowLinking = allowLinking;
+    }
+
+
+    /**
+     * Is linking allowed.
+     */
+    public boolean isAllowLinking() {
+        return allowLinking;
+    }
+
+
+    /**
+     * Set cache TTL.
+     */
+    public void setCacheTTL(int cacheTTL) {
+        this.cacheTTL = cacheTTL;
+    }
+
+
+    /**
+     * Get cache TTL.
+     */
+    public int getCacheTTL() {
+        return cacheTTL;
+    }
+
+
     /**
      * Returns true if the internal naming support is used.
      */
@@ -3281,8 +3348,19 @@
         try {
             ProxyDirContext proxyDirContext = 
                 new ProxyDirContext(env, webappResources);
+            if (webappResources instanceof FileDirContext) {
+                filesystemBased = true;
+                ((FileDirContext) webappResources).setCaseSensitive
+                    (isCaseSensitive());
+                ((FileDirContext) webappResources).setAllowLinking
+                    (isAllowLinking());
+            }
+
             if (webappResources instanceof BaseDirContext) {
                 ((BaseDirContext) webappResources).setDocBase(getBasePath());
+                ((BaseDirContext) webappResources).setCached
+                    (isCachingAllowed());
+                ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL());
                 ((BaseDirContext) webappResources).allocate();
             }
             this.resources = proxyDirContext;
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml	2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml	2005-02-10 16:46:12.000000000 +0200
@@ -6,7 +6,7 @@
 <!--
      Descriptions of JMX MBeans for Catalina
 
-     $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $
+     $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $
  -->
 
 <mbeans-descriptors>
@@ -2072,9 +2072,23 @@
                 group="Context"
                  type="org.apache.catalina.core.StandardContext">
 
-    <attribute   name="cookies"
-          description="Should we attempt to use cookies for session id
-                        communication?"
+    <attribute   name="allowLinking"
+          description="Allow symlinking to outside the webapp root directory, if the webapp is an exploded directory"
+                   is="true"
+                 type="boolean"/>
+
+    <attribute   name="cacheTTL"
+          description="Time interval in ms between cache refeshes"
+                 type="int"/>
+      
+    <attribute   name="cachingAllowed"
+          description="Should we cache static resources for this webapp"
+                   is="true"
+                 type="boolean"/>
+
+    <attribute   name="caseSensitive"
+          description="Should case sensitivity checks be performed"
+                   is="true"
                  type="boolean"/>
 
     <attribute   name="cookies"
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml	2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml	2005-02-10 17:03:37.000000000 +0200
@@ -169,12 +169,38 @@
 
     <attributes>
 
+      <attribute name="allowLinking" required="false">
+        <p>If the value of this flag is <code>true</code>, symlinks will be
+        allowed inside the web application, pointing to resources outside the
+        web application base path. If not specified, the default value
+        of the flag is <code>false</code>.</p>
+        <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform
+        (or any other OS which does not have a case sensitive filesystem),
+        as it will disable case sensitivity checks, allowing JSP source code
+        disclosure, among other security problems.</b></p>
+      </attribute>
+
+      <attribute name="cacheTTL" required="false">
+        <p>Amount of time in milliseconds between cache entries revalidation.
+        If not specified, the default value is <code>5000</code> 
+        (5 seconds).</p>
+      </attribute>
+
       <attribute name="cachingAllowed" required="false">
         <p>This boolean flag indicates if the resources may be cached. It
         defaults to <code>true</code>. If set to <code>false</code>, this
         flag overrides the <em>cached</em> attribute of any contained
-        <a href="resources.html">Resources</a>
- element.</p>
+        <a href="resources.html">Resources</a>
 element.</p>
+      </attribute>
+
+      <attribute name="caseSensitive" required="false">
+        <p>If the value of this flag is <code>true</code>, all case sensitivity
+        checks will be disabled. If not 
+        specified, the default value of the flag is <code>true</code>.</p>
+        <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform
+        (or any other OS which does not have a case sensitive filesystem),
+        as it will disable case sensitivity checks, allowing JSP source code
+        disclosure, among other security problems.</b></p>
       </attribute>
 
       <attribute name="debug" required="false">
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml	2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml	2005-02-10 17:05:38.000000000 +0200
@@ -85,8 +85,8 @@
       </attribute>
 
       <attribute name="caseSensitive" required="false">
-        <p>This boolean flag toggles case sensitivity for resourceson 
-        the Windows platform. Defaults to <code>true</code>.</p>
+        <p>This is the functional equivalent to the <em>caseSensitive</em> 
+        of a <a href="context.html">Context</a>.</p>
       </attribute>
 
       <attribute name="docBase" required="false">

--===============1566447498==
Content-Type: text/x-c++; charset="us-ascii"
MIME-Version: 1.0
Content-Transfer-Encoding: 7bit
Content-Disposition: attachment; filename="stolen.diff"

diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/core/StandardContext.java	2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/core/StandardContext.java	2005-02-10 16:39:03.000000000 +0200
@@ -82,7 +82,7 @@
  *
  * @author Craig R. McClanahan
  * @author Remy Maucherat
- * @version $Revision: 1.125 $ $Date: 2004/08/26 21:32:20 $
+ * @version $Revision: 1.126 $ $Date: 2004/11/19 20:52:02 $
  */
 
 public class StandardContext
@@ -134,7 +134,6 @@
      */
     private boolean available = false;
 
-
     /**
      * The Locale to character set mapper for this application.
      */
@@ -417,6 +416,24 @@
 
 
     /**
+     * Case sensitivity.
+     */
+    protected boolean caseSensitive = true;
+
+
+    /**
+     * Allow linking.
+     */
+    protected boolean allowLinking = false;
+
+
+    /**
+     * Cache TTL in ms.
+     */
+    protected int cacheTTL = 5000;
+
+
+    /**
      * Caching allowed flag.
      */
     protected boolean cachingAllowed = true;
@@ -427,6 +444,7 @@
      */
     protected DirContext webappResources = null;
 
+    
 
     // ----------------------------------------------------- Context Properties
 
@@ -447,6 +465,55 @@
     }
 
 
+
+    /**
+     * Set case sensitivity.
+     */
+    public void setCaseSensitive(boolean caseSensitive) {
+        this.caseSensitive = caseSensitive;
+    }
+
+
+    /**
+     * Is case sensitive ?
+     */
+    public boolean isCaseSensitive() {
+        return caseSensitive;
+    }
+
+
+    /**
+     * Set allow linking.
+     */
+    public void setAllowLinking(boolean allowLinking) {
+        this.allowLinking = allowLinking;
+    }
+
+
+    /**
+     * Is linking allowed.
+     */
+    public boolean isAllowLinking() {
+        return allowLinking;
+    }
+
+
+    /**
+     * Set cache TTL.
+     */
+    public void setCacheTTL(int cacheTTL) {
+        this.cacheTTL = cacheTTL;
+    }
+
+
+    /**
+     * Get cache TTL.
+     */
+    public int getCacheTTL() {
+        return cacheTTL;
+    }
+
+
     /**
      * Returns true if the internal naming support is used.
      */
@@ -3281,8 +3348,19 @@
         try {
             ProxyDirContext proxyDirContext = 
                 new ProxyDirContext(env, webappResources);
+            if (webappResources instanceof FileDirContext) {
+                filesystemBased = true;
+                ((FileDirContext) webappResources).setCaseSensitive
+                    (isCaseSensitive());
+                ((FileDirContext) webappResources).setAllowLinking
+                    (isAllowLinking());
+            }
+
             if (webappResources instanceof BaseDirContext) {
                 ((BaseDirContext) webappResources).setDocBase(getBasePath());
+                ((BaseDirContext) webappResources).setCached
+                    (isCachingAllowed());
+                ((BaseDirContext) webappResources).setCacheTTL(getCacheTTL());
                 ((BaseDirContext) webappResources).allocate();
             }
             this.resources = proxyDirContext;
diff -Nur jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml
--- jakarta-tomcat-4.1.31-src.orig/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml	2004-09-25 19:44:19.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/catalina/src/share/org/apache/catalina/mbeans/mbeans-descriptors.xml	2005-02-10 16:46:12.000000000 +0200
@@ -6,7 +6,7 @@
 <!--
      Descriptions of JMX MBeans for Catalina
 
-     $Id: mbeans-descriptors.xml,v 1.82 2004/01/25 23:07:16 billbarker Exp $
+     $Id: mbeans-descriptors.xml,v 1.83 2004/11/19 20:52:02 markt Exp $
  -->
 
 <mbeans-descriptors>
@@ -2072,9 +2072,23 @@
                 group="Context"
                  type="org.apache.catalina.core.StandardContext">
 
-    <attribute   name="cookies"
-          description="Should we attempt to use cookies for session id
-                        communication?"
+    <attribute   name="allowLinking"
+          description="Allow symlinking to outside the webapp root directory, if the webapp is an exploded directory"
+                   is="true"
+                 type="boolean"/>
+
+    <attribute   name="cacheTTL"
+          description="Time interval in ms between cache refeshes"
+                 type="int"/>
+      
+    <attribute   name="cachingAllowed"
+          description="Should we cache static resources for this webapp"
+                   is="true"
+                 type="boolean"/>
+
+    <attribute   name="caseSensitive"
+          description="Should case sensitivity checks be performed"
+                   is="true"
                  type="boolean"/>
 
     <attribute   name="cookies"
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/context.xml	2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/context.xml	2005-02-10 17:03:37.000000000 +0200
@@ -169,12 +169,38 @@
 
     <attributes>
 
+      <attribute name="allowLinking" required="false">
+        <p>If the value of this flag is <code>true</code>, symlinks will be
+        allowed inside the web application, pointing to resources outside the
+        web application base path. If not specified, the default value
+        of the flag is <code>false</code>.</p>
+        <p><b>NOTE: This flag MUST NOT be set to true on the Windows platform
+        (or any other OS which does not have a case sensitive filesystem),
+        as it will disable case sensitivity checks, allowing JSP source code
+        disclosure, among other security problems.</b></p>
+      </attribute>
+
+      <attribute name="cacheTTL" required="false">
+        <p>Amount of time in milliseconds between cache entries revalidation.
+        If not specified, the default value is <code>5000</code> 
+        (5 seconds).</p>
+      </attribute>
+
       <attribute name="cachingAllowed" required="false">
         <p>This boolean flag indicates if the resources may be cached. It
         defaults to <code>true</code>. If set to <code>false</code>, this
         flag overrides the <em>cached</em> attribute of any contained
-        <a href="resources.html">Resources</a>
- element.</p>
+        <a href="resources.html">Resources</a>
 element.</p>
+      </attribute>
+
+      <attribute name="caseSensitive" required="false">
+        <p>If the value of this flag is <code>true</code>, all case sensitivity
+        checks will be disabled. If not 
+        specified, the default value of the flag is <code>true</code>.</p>
+        <p><b>NOTE: This flag MUST NOT be set to false on the Windows platform
+        (or any other OS which does not have a case sensitive filesystem),
+        as it will disable case sensitivity checks, allowing JSP source code
+        disclosure, among other security problems.</b></p>
       </attribute>
 
       <attribute name="debug" required="false">
diff -Nur jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml
--- jakarta-tomcat-4.1.31-src.orig/webapps/tomcat-docs/config/resources.xml	2004-09-25 19:44:24.000000000 +0300
+++ jakarta-tomcat-4.1.31-src/webapps/tomcat-docs/config/resources.xml	2005-02-10 17:05:38.000000000 +0200
@@ -85,8 +85,8 @@
       </attribute>
 
       <attribute name="caseSensitive" required="false">
-        <p>This boolean flag toggles case sensitivity for resourceson 
-        the Windows platform. Defaults to <code>true</code>.</p>
+        <p>This is the functional equivalent to the <em>caseSensitive</em> 
+        of a <a href="context.html">Context</a>.</p>
       </attribute>
 
       <attribute name="docBase" required="false">

--===============1566447498==--