[Bug 61201] New: CGIServlet adds too much to the SCRIPT_NAME environment variable if script followed by extra path

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61201] New: CGIServlet adds too much to the SCRIPT_NAME environment variable if script followed by extra path

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61201

            Bug ID: 61201
           Summary: CGIServlet adds too much to the SCRIPT_NAME
                    environment variable if script followed by extra path
           Product: Tomcat 9
           Version: 9.0.0.M21
          Hardware: PC
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [hidden email]
          Reporter: [hidden email]
  Target Milestone: -----

I run the following bash script as CGI (test2.sh):

-----
#!/bin/bash

echo "Content-Type: text/plain"
echo

set
-----

If I call it as

http://127.0.0.1:8086/nextcloud/test2.sh

it outputs

[...]
SCRIPT_NAME=/nextcloud/test2.sh
[...]

If I call it as

http://127.0.0.1:8086/nextcloud/test2.sh/login

it outputs

[...]
SCRIPT_NAME=/nextcloud/test2.sh/login/test2.sh
[...]


But the value of $SCRIPT_NAME should stay the same.

Excerpt from my web.xml:

   <servlet>
      <servlet-name>test-cgi</servlet-name>
      <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
      <init-param>
        <param-name>executable</param-name>
        <param-value>/bin/bash</param-value>
      </init-param>
      <init-param>
        <param-name>passShellEnvironment</param-name>
        <param-value>true</param-value>
      </init-param>
   </servlet>

   <servlet-mapping>
      <servlet-name>test-cgi</servlet-name>
      <url-pattern>*.sh</url-pattern>
    </servlet-mapping>

   <servlet-mapping>
      <servlet-name>test-cgi</servlet-name>
      <url-pattern>/test2.sh/login</url-pattern>
    </servlet-mapping>

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61201] CGIServlet adds too much to the SCRIPT_NAME environment variable if script followed by extra path

Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61201

--- Comment #1 from Mark Thomas <[hidden email]> ---
Hmm. The CGI servlet isn't designed to be mapped that way. I'm a little
surprised it even worked.

The docs aren't clear on what is expected to work and what isn't.

The script finding logic appears depend on what sort of mapping is used. The
new getHttpServletMapping() in Servlet 4.0 may enable a wider range of mappings
to be supported.

I need to dig into this some more. At the moment, the minimum I anticipate
doing is:
- documented which mapping styles are supported and which are not
- updating the checks in 9.0.x (and 8.5.x since the Servlet 4.0 functionality
is back-ported) to reject requests using unsupported mapping types.

At best, I'll add support for all mapping types and document each.

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

[Bug 61201] CGIServlet adds too much to the SCRIPT_NAME environment variable if script followed by extra path

Bugzilla from bugzilla@apache.org
In reply to this post by Bugzilla from bugzilla@apache.org
https://bz.apache.org/bugzilla/show_bug.cgi?id=61201

Mark Thomas <[hidden email]> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         Resolution|---                         |FIXED
             Status|NEW                         |RESOLVED

--- Comment #2 from Mark Thomas <[hidden email]> ---
That turned out much better than I expected. The fix was simple and did not
need to depend on the new Servlet 4.0 features. Best of all, it used LESS code.

Fixed in:
- trunk for 9.0.0.M22 onwards
- 8.5.x for 8.5.16 onwards
- 8.0.x for 8.0.45 onwards
- 7.0.x for 7.0.79 onwards

--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|  
Report Content as Inappropriate

Re: [Bug 61201] CGIServlet adds too much to the SCRIPT_NAME environment variable if script followed by extra path

Jan Michael Greiner
> From: "[hidden email]" <[hidden email]>
> To: [hidden email]
> Sent: Tuesday, June 20, 2017 11:13 PM
> Subject: [Bug 61201] CGIServlet adds too much to the SCRIPT_NAME environment variable if script followed by extra path
>

> https://bz.apache.org/bugzilla/show_bug.cgi?id=61201
>
> Mark Thomas <[hidden email]> changed:
>
>           What    |Removed                    |Added
> ----------------------------------------------------------------------------
>         Resolution|---                        |FIXED
>             Status|NEW                        |RESOLVED
>
> --- Comment #2 from Mark Thomas <[hidden email]> ---
> That turned out much better than I expected. The fix was simple and did not
> need to depend on the new Servlet 4.0 features. Best of all, it used LESS code.
>
> Fixed in:
> - trunk for 9.0.0.M22 onwards
> - 8.5.x for 8.5.16 onwards
> - 8.0.x for 8.0.45 onwards
> - 7.0.x for 7.0.79 onwards
Thank you. I didn't know that Tomcat support is THAT fast :-)

I have not looked at your changes yet, because I have not yet installed subversion, sorry for that, I will as soon as possible.

In the last days I hacked CGIServlet.java

- Translation of GET parameters to command line arguments disabled by default, can be enabled by configuration.
I don't like the idea that CGIs are that much exposed... (I don't like CGIs at all by the way :-) )
I never saw a CGI script that uses this feature.


- Allow configuration of additional environment variables.
I need this feature for the sqwebmail CGI.
Maybe it is needed for the git server CGI (git-http-backend), to set GIT_PROJECT_ROOT
Bug reported by myself :-)
https://bz.apache.org/bugzilla/show_bug.cgi?id=61189


- directory walker to properly search for the CGI script and properly create SCRIPT_NAME and PATH_INFO, no matter how the servlet is mapped.

- don't do a second directory walk to extract the script from an eventually packed web app archive.

- Stop directory walk as soon as the request quits existing directories.


It is carefully coded, but only tested with some simple examples, including a simple example with configured cgiPathPrefix.
It is not yet tested with a packed web app archive.


I would be happy to hear what you think about it, or if you even can take some usefull parts from it.



Best regards and thank you

Jan Michael Greiner


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

CGIServlet.zip (22K) Download Attachment
Loading...