https://issues.apache.org/bugzilla/show_bug.cgi?id=57251
--- Comment #22 from Mark Thomas <ma...@apache.org> --- (In reply to Francisco A. Lozano from comment #20) > (In reply to Mark Thomas from comment #19) > > (In reply to Christopher Schultz from comment #17) > > > (In reply to Mark Thomas from comment #16) > > > > There is nothing stopping users copying an exploded directory into the > > > > appBase in the same way a WAR is copied. The ASF's JIRA instance runs > > > > this > > > > way for exactly the security concerns you cite. > > > > > > Yes, but those WARs are being copied locally and can work by using a user > > > other than Tomcat's uid. > > > > Nothing stops this other user from copying an exploded directory to the > > appBase rather than an unexploded WAR. > > But this other user can be more tightly controlled, because it doesn't > execute anything. The user that writes doesn't execute, and the user that > executes doesn't write. It's a pretty common security pattern > http://en.wikipedia.org/wiki/W%5EX Which is the point I was making. Copying in a WAR that Tomcat doesn't expand or copying in an exploded directory that Tomcat doesn't need to expand, the security benefits are exactly the same (assuming permissions are set correctly). > > > > I do not see any security benefits that are unique to unpackWARs="false" > > > > > > If Tomcat itself can be remotely exploited to drop a WAR file into > > > webapps/ > > > then it might be auto-deployed without local access (which is what you > > > describe above). > > > > Either the appBase is writeable (in which case there is a small security > > risk) or it isn't. A writeable (by the Tomcat user) appBase is independent > > of whether you deploy applications as WARs or exploded directories. > > But when you use WARs you hit this issue in Tomcat 8 and not in Tomcat 7/6. Which is why we are dicussing whether or not there is any need to run directly from a WAR. The best argument made so far is that it is easier to move around a WAR than an exploded directory but - given expanding a WAR is a one-line script on any platform where you can run Tomcat (you can use jar to unpack the WAR) - that use case doesn't strike me as a particularly strong one. (In reply to Francisco A. Lozano from comment #21) > From documentation > (http://tomcat.apache.org/tomcat-8.0-doc/config/context.html): > > "Note that WAR files located outside of a Host's appBase are never unpacked." > > From that comment, not fixing this would mean that there would be no way to > deploy WARs out of appBase at an acceptable speed? That comment is out of date. Tomcat 8 (and possibly 7 - I'd need to check) will unpack it now the various edge cases in the deployer have been cleaned up. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
