https://bz.apache.org/bugzilla/show_bug.cgi?id=69752
--- Comment #7 from Don't show my email <apa...@resellerdesktop.de> ---
To make my POV clear:
This is foolish, but an expression of will:
appBase="/usr/java/apache-tomcat-9.0.106/conf"
appBase="/usr/java/apache-tomcat-9.0.106/"
appBase="/conf"
appBase="/"
(still unclear if absolute root or relative "/" is meant and the best example
not to accept everything here)
This is the exact opposite:
appBase=""
This is no expression at all, which means, the attribute should be handled with
the default value and not with "".
Your argument, that the logs reveal the consequences of a foolish appBase is
valid, but unrealistic. Have you seen how much startup output comes out of just
one spring app these days? 10-15 Pages of pure blinding (mostly) unnecessary
blotput :) It's highly unlikely that an admin will notice any misconfiguration
besides "Shit, it does not start." at even one of those apps, not thinking of
10th of them, if he is even looking to that log.
I can only give the advise to learn from proftpd:
in 2012 i wrote a presentation for the "16th anniversary of a bad decision."
and handed it in for the annual CCC:
The proftpd devs had decided not to check if the path for a given vhost is a
link or not and just chrooted on it. Over time several people, me including,
raised security concerns about this, because it's a race condition, because an
attacker may be able to exchange the given path with a symlink at any time( and
sometimes servers restart ;) ) and escape the chroot to "/".
For more than 16 years they answered all requests to add a test on startup if
that path is a link or not, with this: "We wrote it in the docs, that the admin
has to make sure, that it's not a ( harmfull ) symlink (of any form)." (i
simplified the major problem a bit)
Guess what happend a few years later... "something"(i was not involved)
convinced them to add that check in the end and for the past ~ten years, it's
now really "secure by default".
The same situation applies to this tomcat problem:
a) you know what will happen if you go on like this, same as the proftpd devs
did.
b) the problem is easily avoidable by the product
c) it shall protect against unwanted issues, not expressed foolishness
and d) they used the same arguments as you did, more of less by the letter ;)
They also said, thats it to complex to check all situation, but i wrote them a
working patch with just a few lines of code that proofed them wrong ;)
All you need for this tomcat issue is this:
File file = new File( CATALINA_HOME + appBase)
String cnnpath = file.getCanonicalPath();
if ( cnnpath.equals( CATALINA_HOME ) || cnnpath.equals(
CATALINA_HOME+"/conf") ) throw SecurityException() or just return a startup
error for that host.
i know it's only valid for the relativ form of appbase, so it's not that hard
to adopt the other.
I even take a "if ( appBase.equals("") ) appBase="webapps"; as a solution, but
i prefer the more common solution, as it protects against other accidents as
well.
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
