This is an automated email from the ASF dual-hosted git repository.
remm pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/main by this push:
new 78bfb50eb7 Add log warning for additional suspicious appBase values
78bfb50eb7 is described below
commit 78bfb50eb7d1876f696311af3f91badc99e1b8a9
Author: remm <[email protected]>
AuthorDate: Thu Nov 20 09:37:05 2025 +0100
Add log warning for additional suspicious appBase values
---
java/org/apache/catalina/core/LocalStrings.properties | 2 ++
java/org/apache/catalina/core/StandardHost.java | 13 +++++++++++++
webapps/docs/changelog.xml | 4 ++++
3 files changed, 19 insertions(+)
diff --git a/java/org/apache/catalina/core/LocalStrings.properties
b/java/org/apache/catalina/core/LocalStrings.properties
index c9c2ecbed0..31602e7018 100644
--- a/java/org/apache/catalina/core/LocalStrings.properties
+++ b/java/org/apache/catalina/core/LocalStrings.properties
@@ -266,7 +266,9 @@ standardHost.noContext=No Context configured to process
this request
standardHost.notContext=Child of a Host must be a Context
standardHost.nullName=Host name is required
standardHost.problematicAppBase=Using an empty string for appBase on host
[{0}] will set it to CATALINA_BASE, which is a bad idea
+standardHost.problematicAppBaseParent=appBase on host [{0}] is a parent folder
of CATALINA_BASE, which is a bad idea
standardHost.problematicLegacyAppBase=Using an empty string for legacyAppBase
on host [{0}] will set it to CATALINA_BASE, which is a bad idea
+standardHost.problematicLegacyAppBaseParent=legacyAppBase on host [{0}] is a
parent folder of CATALINA_BASE, which is a bad idea
standardHostValve.customStatusFailed=Custom error page [{0}] could not be
dispatched correctly
standardHostValve.exception=Exception Processing [{0}]
diff --git a/java/org/apache/catalina/core/StandardHost.java
b/java/org/apache/catalina/core/StandardHost.java
index 8ac855c6e3..ddb16abec1 100644
--- a/java/org/apache/catalina/core/StandardHost.java
+++ b/java/org/apache/catalina/core/StandardHost.java
@@ -18,6 +18,7 @@ package org.apache.catalina.core;
import java.io.File;
import java.io.IOException;
+import java.nio.file.Path;
import java.util.ArrayList;
import java.util.Arrays;
import java.util.List;
@@ -228,6 +229,12 @@ public class StandardHost extends ContainerBase implements
Host {
// Ignore
}
+ Path appBasePath = file.toPath();
+ Path basePath = getCatalinaBase().toPath();
+ if (basePath.startsWith(appBasePath)) {
+ log.warn(sm.getString("standardHost.problematicAppBaseParent",
getName()));
+ }
+
this.appBaseFile = file;
return file;
}
@@ -271,6 +278,12 @@ public class StandardHost extends ContainerBase implements
Host {
// Ignore
}
+ Path appBasePath = file.toPath();
+ Path basePath = getCatalinaBase().toPath();
+ if (basePath.startsWith(appBasePath)) {
+
log.warn(sm.getString("standardHost.problematicLegacyAppBaseParent",
getName()));
+ }
+
this.legacyAppBaseFile = file;
return file;
}
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 360d80a654..211ed75b7c 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -191,6 +191,10 @@
individual class path components to avoid a potential
<code>NullPointerException</code>. Identified by Coverity Scan. (markt)
</fix>
+ <fix>
+ Add log warnings for additional Host <code>appBase</code> suspicious
+ values. (remm)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
