getopts of Perl is not working Tomcat 9

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
9 messages Options
Reply | Threaded
Open this post in threaded view
|

getopts of Perl is not working Tomcat 9

Jonnalagadda, Swathi (External)
Hi

We have our web application implemented in Perl cgi which is using below function of perl. we are upgrading from Tomcat 8.0.21 to Tomcat 9.0.38.

The below function (getopts) is working fine Tomcat 8.0.21 but is not working in Tomcat 9.0.38. We even tried Tomcat 9.0.39 as well and it is not working even in 9.0.39.

use Getopt::Std;

getopts('ei:npXP');

Could you please suggest a solution here.

Thanks
Swathi

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: getopts of Perl is not working Tomcat 9

markt
On 13/11/2020 13:14, Jonnalagadda, Swathi (External) wrote:

> Hi
>
> We have our web application implemented in Perl cgi which is using below function of perl. we are upgrading from Tomcat 8.0.21 to Tomcat 9.0.38.
>
> The below function (getopts) is working fine Tomcat 8.0.21 but is not working in Tomcat 9.0.38. We even tried Tomcat 9.0.39 as well and it is not working even in 9.0.39.
>
> use Getopt::Std;
>
> getopts('ei:npXP');
>
> Could you please suggest a solution here.

How is the CGI servlet configured?

What URL are you using to call the CGI servlet?

Mark

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: getopts of Perl is not working Tomcat 9

Jonnalagadda, Swathi (External)
Hi Mark,



Thank you for replying on this.



Please find below servlet configuration



<servlet>

        <servlet-name>cgi</servlet-name>

        <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>

        <init-param>

          <param-name>cgiPathPrefix</param-name>

          <param-value>cgi-bin</param-value>

          <param-name>executable</param-name>

          <param-value>/usr/bin/perl</param-value>

        </init-param>

        <load-on-startup>5</load-on-startup>

    </servlet>



<servlet-mapping>

        <servlet-name>cgi</servlet-name>

        <url-pattern>/cgi-bin/*</url-pattern>

    </servlet-mapping>





The url we access is



<a href="http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p">http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p





Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder.



Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method.



Thanks

Swathi



-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Friday, November 13, 2020 6:51 PM
To: [hidden email]
Subject: Re: getopts of Perl is not working Tomcat 9



CAUTION:   This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.



On 13/11/2020 13:14, Jonnalagadda, Swathi (External) wrote:

> Hi

>

> We have our web application implemented in Perl cgi which is using below function of perl. we are upgrading from Tomcat 8.0.21 to Tomcat 9.0.38.

>

> The below function (getopts) is working fine Tomcat 8.0.21 but is not working in Tomcat 9.0.38. We even tried Tomcat 9.0.39 as well and it is not working even in 9.0.39.

>

> use Getopt::Std;

>

> getopts('ei:npXP');

>

> Could you please suggest a solution here.



How is the CGI servlet configured?



What URL are you using to call the CGI servlet?



Mark



---------------------------------------------------------------------

To unsubscribe, e-mail: [hidden email]<mailto:[hidden email]>

For additional commands, e-mail: [hidden email]<mailto:[hidden email]>


Reply | Threaded
Open this post in threaded view
|

Re: getopts of Perl is not working Tomcat 9

markt
On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote:

> Hi Mark,
>
> Thank you for replying on this.
>
> Please find below servlet configuration
>
> <servlet>
>         <servlet-name>cgi</servlet-name>
>         <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
>         <init-param>
>           <param-name>cgiPathPrefix</param-name>
>           <param-value>cgi-bin</param-value>
>           <param-name>executable</param-name>
>           <param-value>/usr/bin/perl</param-value>
>         </init-param>
>         <load-on-startup>5</load-on-startup>
>     </servlet>

That configuration is not valid. I'm surprised Tomcat even starts with a
configuration like that. Enabling validation would catch that but I'll
look to see if there is more we can do.

> <servlet-mapping>
>         <servlet-name>cgi</servlet-name>
>         <url-pattern>/cgi-bin/*</url-pattern>
>     </servlet-mapping>
>
> The url we access is
> <a href="http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p">http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p

Given a fixed version of the configuration above, getopts isn't going to
work because you haven't enabled command line arguments.

See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html
Look for enableCmdLineArguments

See also CVE-2019-0232 if you are running on Windows.

> Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder.
>
> Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method.

Then you have the CGI servlet (or the CGI filter) enabled in another
location. Check both the global and per web application web.xml file.
You'd normally only enable GCI in one location.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: getopts of Perl is not working Tomcat 9

Jonnalagadda, Swathi (External)
Thanks in tons Thomas.

I didn’t realize that it could have its own web.xml. Enabling enableCmdLineArguments helped. getOpts is working fine now

Regards
Swathi

-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Monday, November 16, 2020 3:29 PM
To: Tomcat Users List
Subject: Re: getopts of Perl is not working Tomcat 9

CAUTION:   This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote:

> Hi Mark,
>
> Thank you for replying on this.
>
> Please find below servlet configuration
>
> <servlet>
>         <servlet-name>cgi</servlet-name>
>         <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
>         <init-param>
>           <param-name>cgiPathPrefix</param-name>
>           <param-value>cgi-bin</param-value>
>           <param-name>executable</param-name>
>           <param-value>/usr/bin/perl</param-value>
>         </init-param>
>         <load-on-startup>5</load-on-startup>
>     </servlet>

That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do.

> <servlet-mapping>
>         <servlet-name>cgi</servlet-name>
>         <url-pattern>/cgi-bin/*</url-pattern>
>     </servlet-mapping>
>
> The url we access is
> <a href="http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p">http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p

Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments.

See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html
Look for enableCmdLineArguments

See also CVE-2019-0232 if you are running on Windows.

> Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder.
>
> Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method.

Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file.
You'd normally only enable GCI in one location.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: getopts of Perl is not working Tomcat 9

Jonnalagadda, Swathi (External)

Thanks in tons Mark.

I didn’t realize that it could have its own web.xml. Enabling enableCmdLineArguments helped. getOpts is working fine now

Regards
Swathi

-----Original Message-----
From: Mark Thomas [mailto:[hidden email]]
Sent: Monday, November 16, 2020 3:29 PM
To: Tomcat Users List
Subject: Re: getopts of Perl is not working Tomcat 9

CAUTION:   This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote:

> Hi Mark,
>
> Thank you for replying on this.
>
> Please find below servlet configuration
>
> <servlet>
>         <servlet-name>cgi</servlet-name>
>         <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
>         <init-param>
>           <param-name>cgiPathPrefix</param-name>
>           <param-value>cgi-bin</param-value>
>           <param-name>executable</param-name>
>           <param-value>/usr/bin/perl</param-value>
>         </init-param>
>         <load-on-startup>5</load-on-startup>
>     </servlet>

That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do.

> <servlet-mapping>
>         <servlet-name>cgi</servlet-name>
>         <url-pattern>/cgi-bin/*</url-pattern>
>     </servlet-mapping>
>
> The url we access is
> <a href="http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p">http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p

Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments.

See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html
Look for enableCmdLineArguments

See also CVE-2019-0232 if you are running on Windows.

> Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder.
>
> Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method.

Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file.
You'd normally only enable GCI in one location.

Mark


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]
Reply | Threaded
Open this post in threaded view
|

Recall: getopts of Perl is not working Tomcat 9

Jonnalagadda, Swathi (External)
In reply to this post by Jonnalagadda, Swathi (External)
Jonnalagadda, Swathi (External) would like to recall the message, "getopts of Perl is not working Tomcat 9".
---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

Re: getopts of Perl is not working Tomcat 9

Christopher Schultz-2
In reply to this post by Jonnalagadda, Swathi (External)
Swathi,

On 11/16/20 06:47, Jonnalagadda, Swathi (External) wrote:
> I didn’t realize that it could have its own web.xml. Enabling
> enableCmdLineArguments helped. getOpts is working fine now
Please note that it can be very easy to open security hole by allowing
remote clients to specify command-line parameters on your server.

Think very carefully about whether or not you want and/or need this feature.

-chris

> -----Original Message-----
> From: Mark Thomas [mailto:[hidden email]]
> Sent: Monday, November 16, 2020 3:29 PM
> To: Tomcat Users List
> Subject: Re: getopts of Perl is not working Tomcat 9
>
> CAUTION:   This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote:
>> Hi Mark,
>>
>> Thank you for replying on this.
>>
>> Please find below servlet configuration
>>
>> <servlet>
>>          <servlet-name>cgi</servlet-name>
>>          <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
>>          <init-param>
>>            <param-name>cgiPathPrefix</param-name>
>>            <param-value>cgi-bin</param-value>
>>            <param-name>executable</param-name>
>>            <param-value>/usr/bin/perl</param-value>
>>          </init-param>
>>          <load-on-startup>5</load-on-startup>
>>      </servlet>
>
> That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do.
>
>> <servlet-mapping>
>>          <servlet-name>cgi</servlet-name>
>>          <url-pattern>/cgi-bin/*</url-pattern>
>>      </servlet-mapping>
>>
>> The url we access is
>> <a href="http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p">http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p
>
> Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments.
>
> See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html
> Look for enableCmdLineArguments
>
> See also CVE-2019-0232 if you are running on Windows.
>
>> Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder.
>>
>> Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method.
>
> Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file.
> You'd normally only enable GCI in one location.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]

Reply | Threaded
Open this post in threaded view
|

RE: getopts of Perl is not working Tomcat 9

Jonnalagadda, Swathi (External)
Thank you for checking on this Chris

The application is used by internal users only and is not available for all. So I believe it is fine to use it here.

Regards
Swathi

-----Original Message-----
From: Christopher Schultz [mailto:[hidden email]]
Sent: Monday, November 16, 2020 7:30 PM
To: [hidden email]
Subject: Re: getopts of Perl is not working Tomcat 9

CAUTION:   This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.

Swathi,

On 11/16/20 06:47, Jonnalagadda, Swathi (External) wrote:
> I didn’t realize that it could have its own web.xml. Enabling
> enableCmdLineArguments helped. getOpts is working fine now
Please note that it can be very easy to open security hole by allowing remote clients to specify command-line parameters on your server.

Think very carefully about whether or not you want and/or need this feature.

-chris

> -----Original Message-----
> From: Mark Thomas [mailto:[hidden email]]
> Sent: Monday, November 16, 2020 3:29 PM
> To: Tomcat Users List
> Subject: Re: getopts of Perl is not working Tomcat 9
>
> CAUTION:   This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe.
>
> On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote:
>> Hi Mark,
>>
>> Thank you for replying on this.
>>
>> Please find below servlet configuration
>>
>> <servlet>
>>          <servlet-name>cgi</servlet-name>
>>          <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
>>          <init-param>
>>            <param-name>cgiPathPrefix</param-name>
>>            <param-value>cgi-bin</param-value>
>>            <param-name>executable</param-name>
>>            <param-value>/usr/bin/perl</param-value>
>>          </init-param>
>>          <load-on-startup>5</load-on-startup>
>>      </servlet>
>
> That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do.
>
>> <servlet-mapping>
>>          <servlet-name>cgi</servlet-name>
>>          <url-pattern>/cgi-bin/*</url-pattern>
>>      </servlet-mapping>
>>
>> The url we access is
>> <a href="http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p">http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p
>
> Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments.
>
> See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html
> Look for enableCmdLineArguments
>
> See also CVE-2019-0232 if you are running on Windows.
>
>> Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder.
>>
>> Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method.
>
> Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file.
> You'd normally only enable GCI in one location.
>
> Mark
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [hidden email]
> For additional commands, e-mail: [hidden email]
>

---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]


---------------------------------------------------------------------
To unsubscribe, e-mail: [hidden email]
For additional commands, e-mail: [hidden email]