On 04/12/2018 20:36, Michael Osipov wrote: > Am 2018-12-03 um 20:30 schrieb Mark Thomas: >> Hi, >> >> I have been looking at [1]. This is a request to be able to specify a >> URL for a WAR, including a URL that points to a WAR file packaged inside >> a JAR. This request is in the context of embedded Tomcat. >> >> The embedded aspects are just part of this. Fixes would also be required >> to the core Tomcat code. >> >> The Javadoc for Context indicates that a URL is acceptable for the >> docBase. However, the code does not support this. The code expects a >> file path (absolute or relative to appBase) that points to either a >> directory or a WAR. > > How can a URL with a scheme be relative?!
It isn't a URL. The docBase is currently documented to accept file paths (eg: /foo/bar/app.war, app2.war, ../app3.war, etc.) and URLs. >> I've been looking at the code and there are multiple places where the >> assumption is made that the docBase is a file path. They are fixable >> but... >> >> I am wondering whether it would be better to fix this or to change the >> Javadoc. >> >> In favour of fixing this: >> - the code would match the intention as described in the Javadoc >> - the requirements of [1] would be addressed >> - loading a WAR from a URL offers a lot more flexibility >> >> In favour of changing the Javadoc >> - there are multiple places that would need to be fixed >> - loading a WAR from a URL broadens the attack surface if a malicious >> user can get to the configuration files >> - there doesn't seem to be much demand for loading from a URL (one bug >> report with no activity and no votes in ~5 years) >> >> I'm somewhat on the fence on this one. >> >> Thoughts? > > I strive for simplicity, so I'd go with option 2. Moreover, we should > clearly document which URL schemes are supported, e.g., file:// only. If URLs are supported there will be no limits on scheme. Tomcat will extract the WAR and run it from the extracted location. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
