Re: Tomcat 6.0.18 access files case-insensitive
Caldarale, Charles R wrote: >> From: André Warnier [mailto:a...@ice-sa.com] >> Subject: Re: Tomcat 6.0.18 access files case-insensitive >> >> Since the filesystem is case-sensitive, it may well have both >> "abc.html" and "ABC.HTML" in the same directory. So which one >> would it pick to keep ? > > Presumably the first or last one encountered. A clever algorithm could keep > them all (via a case-insensitive hash) and then try for an exact match; if > that failed, pick one. Would seem like a lot of work for little benefit. > >> So, back to the Tomcat developers. What /is/ the point of the >> caseSensitive attribute in the element ? > > Inquiring minds want to know... As far as I can tell from the archives, it was introduced as a backwards compatibility option for Tomcat 3.1.1 when Tomcat was made case sensitive on Windows for security reasons. [1] It this is correct, it is probably safe to remove it by now ;) I've made a proposal to do just that for Tomcat 7 on the dev list. [2] Mark [1] http://markmail.org/message/6o6w2wpgqcys6vwx [2] http://markmail.org/message/nl7usm7345wh2vvg - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Tim Funk wrote: Its there "for convenience" (and been there "forever") - but it is a great big security whole if we ignore case (Try asking for /web-INF/wEb.xml - or even more evil "/web-INF/wEb.xm%6c") Ok. My point (at the end) was : there does not seem to be a real "useful use" for /ever/ setting this to false. Under Windows, you should'nt. And under any OS which has a case-sensitive filesystem, it does not seem to achieve anything useful basically. So why even keep it, and have it documented ? Just set it to true internally and be done with it. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Its there "for convenience" (and been there "forever") - but it is a great big security whole if we ignore case (Try asking for /web-INF/wEb.xml - or even more evil "/web-INF/wEb.xm%6c") -Tim André Warnier wrote: Even that wouldn't work. Since the filesystem is case-sensitive, it may well have both "abc.html" and "ABC.HTML" in the same directory. So which one would it pick to keep ? So, back to the Tomcat developers. What /is/ the point of the caseSensitive attribute in the element ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Caldarale, Charles R wrote: Presumably the first or last one encountered. ... Or it could just pick a random file in the directory, whether it matches something or not. After all, you were saying that this would only affect lazy clients or bad programmers. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18 access files case-insensitive
> From: André Warnier [mailto:a...@ice-sa.com] > Subject: Re: Tomcat 6.0.18 access files case-insensitive > > Since the filesystem is case-sensitive, it may well have both > "abc.html" and "ABC.HTML" in the same directory. So which one > would it pick to keep ? Presumably the first or last one encountered. A clever algorithm could keep them all (via a case-insensitive hash) and then try for an exact match; if that failed, pick one. Would seem like a lot of work for little benefit. > So, back to the Tomcat developers. What /is/ the point of the > caseSensitive attribute in the element ? Inquiring minds want to know... - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat 6.0.18 access files case-insensitive
Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] Subject: Re: Tomcat 6.0.18 access files case-insensitive Now if the attribute is false, does that mean that Tomcat will try all possible case variations between "abc.html" and "ABC.HTML" before it gives up ? I just looked at the code in FileDirContext.java (and related classes), and it does not seem to. It wouldn't have to try all variations; it could simply use the String.equalsIgnoreCase() method on each entry in the directory of interest, or force everything to one case or another when it builds its internal lookup table - but I couldn't find anything like that going on. Even that wouldn't work. Since the filesystem is case-sensitive, it may well have both "abc.html" and "ABC.HTML" in the same directory. So which one would it pick to keep ? So, back to the Tomcat developers. What /is/ the point of the caseSensitive attribute in the element ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Caldarale, Charles R wrote: >> From: André Warnier [mailto:a...@ice-sa.com] >> Should the first phrase not read >> "If the value of this flag is true, all case sensitivity checks will be >> *enabled*." > > Agreed. Fixed for 4.1.x, 5.5.x, 6.0.x & trunk. Will be in the next releases of each. All this time and no-one noticed... Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18 access files case-insensitive
> From: André Warnier [mailto:a...@ice-sa.com] > Subject: Re: Tomcat 6.0.18 access files case-insensitive > > Now if the attribute is false, does that mean that Tomcat will try all > possible case variations between "abc.html" and "ABC.HTML" before it > gives up ? I just looked at the code in FileDirContext.java (and related classes), and it does not seem to. It wouldn't have to try all variations; it could simply use the String.equalsIgnoreCase() method on each entry in the directory of interest, or force everything to one case or another when it builds its internal lookup table - but I couldn't find anything like that going on. > And otherwise, what's the point ? You got me. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat 6.0.18 access files case-insensitive
Caldarale, Charles R wrote: From: André Warnier [mailto:a...@ice-sa.com] I also wonder what the purpose of this attribute really is, in fact. Should this not always be left to "case sensitive = true" ? Unless you're begging for trouble, or have a really, really sloppy programming staff. - but under a case-sensitive filesystem, what would be a good reason to set it to "false" ? Extremely lazy users, or non-browser clients that were badly and inconsistently programmed. Well, just follow me for a minute. Suppose we do have a case-sensitive filesystem, and we set this attribute to false. The URL is case-sensitive anyway. Or rather, let's say that it is treated "as is". Now suppose there exists a file in the (case-sensitive) filesystem called "ABC.HTML". And suppose the client asks for "/abc.html". Now if the attribute is false, does that mean that Tomcat will try all possible case variations between "abc.html" and "ABC.HTML" before it gives up ? And otherwise, what's the point ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: Tomcat 6.0.18 access files case-insensitive
> From: André Warnier [mailto:a...@ice-sa.com] > Subject: Re: Tomcat 6.0.18 access files case-insensitive > > So apparently Tomcat does not just use the standard Windows > file..open function, it runs additional checks. Tomcat doesn't use Windows anything, it uses the JRE methods. Underlying those are calls to Windows APIs. Once the File object is created, by default it does check that the requested name exactly matches the found name. > I personally find this paragraph rather obscure It's not obscure, it's wrong; the first sentence is backwards, as you noticed. > Should the first phrase not read > "If the value of this flag is true, all case sensitivity checks will be > *enabled*." Agreed. > I also wonder what the purpose of this attribute really is, in fact. > Should this not always be left to "case sensitive = true" ? Unless you're begging for trouble, or have a really, really sloppy programming staff. > - but under a case-sensitive filesystem, what would be a good reason to > set it to "false" ? Extremely lazy users, or non-browser clients that were badly and inconsistently programmed. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers.
Re: Tomcat 6.0.18 access files case-insensitive
Markus Schönhaber wrote: André Warnier: the filesystem which matters. If the filesystem is case-insensitive, it doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ? No. Try http://localhost:8080/tomcat.gif and http://localhost:8080/tomcaT.gif with a default Tomcat install. Sorry, I was only reasoning this platonically. And apparently I was wrong, at least on my Windows Tomcat 5.5. The second access above gives a 404. So what's the deal again ? Under Windows, one can create a file named "tomcat.gif" OR "tomcaT.gif", and the filesystem will effectively record the filename with the capitalisation as given when creating the file. Suppose I have created it as "tomcat.gif". With a text editor (or whatever) I can open this file by specifying (in the File..open dialog), a name typed in as "tomcaT.gif" (I just tried). Thus at that level it is case-insensitive. I can also not create another file in the same directory, named "tomcaT.gif". If I try, I get a message saying that a file with the same name already exists (meaning the "tomcat.gif"). Thus at that level also it is case-insensitive. However, via Tomcat (like the above link), if I specify a URL of "tomcaT.gif", I get a 404. So apparently Tomcat does not just use the standard Windows file..open function, it runs additional checks. Good. Because if it did not, then I could request /myapp/web-inf/anything and get it, bypassing the /WEB-INF/ protection. In the Tomcat on-line documentation, both for 5.5. and 6.0, for the Context element, I find the following explanation for the attribute "caseSensitive" : "If the value of this flag is true, all case sensitivity checks will be disabled. If not specified, the default value of the flag is true. NOTE: This flag MUST NOT be set to false on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems." I personally find this paragraph rather obscure, since the first and third phrase seem to contradict eachother. In the 1st one it says that, if set to true, all case sensitivity checks will be disabled. (true -> disabled) In the third, it says that setting it to false will disable case sensitivity checks. (false -> disabled) So both true and false disable case-sensitivity checks. M.. in the quantum realm maybe, but in Tomcat ? Should the first phrase not read "If the value of this flag is true, all case sensitivity checks will be *enabled*." ? I also wonder what the purpose of this attribute really is, in fact. Should this not always be left to "case sensitive = true" ? - under Windows or any case-insensitive filesystem, it should be left to "true". Ok, understandable. - but under a case-sensitive filesystem, what would be a good reason to set it to "false" ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Markus Schönhaber: > André Warnier: > >> the filesystem which matters. If the filesystem is case-insensitive, it >> doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ? > > No. Try Hm, re-reading the way you asked the question, this should be "Yes, it does matter" instead of "No". ;-) -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
André Warnier: > the filesystem which matters. If the filesystem is case-insensitive, it > doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ? No. Try http://localhost:8080/tomcat.gif and http://localhost:8080/tomcaT.gif with a default Tomcat install. -- Regards mks - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Christopher Schultz wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 6/11/2009 6:32 AM, André Warnier wrote: It's not a "base feature" of either Java or Tomcat, it's a base feature of the OS. Windows filesystems are (relatively, see below) case-insensitive, Unix/Linux are absolutely case-sensitive. Since Java and Java applications are supposed to run on both, they have to choose. By default, Tomcat acts case-sensitive. And furthermore, URLs themselves are case-sensitive (see HTTP/1.1 section 3.2.3). Nitpicking : Well, yes. But in this case it is the mapping of a URL to an object on the filesystem which matters. If the filesystem is case-insensitive, it doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ? Or am I forgetting something ? - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 André, On 6/11/2009 6:32 AM, André Warnier wrote: > It's not a "base feature" of either Java or Tomcat, it's a base feature > of the OS. Windows filesystems are (relatively, see below) > case-insensitive, Unix/Linux are absolutely case-sensitive. Since Java > and Java applications are supposed to run on both, they have to choose. > By default, Tomcat acts case-sensitive. And furthermore, URLs themselves are case-sensitive (see HTTP/1.1 section 3.2.3). - -chris -BEGIN PGP SIGNATURE- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkoxOscACgkQ9CaO5/Lv0PBuPACeKpsGx2B+jqIdxNTDTvZDWs3d jvMAn3HjwDaZgatfhBHHagdiawl71r2W =1I5s -END PGP SIGNATURE- - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
See |caseSensitive| here http://tomcat.apache.org/tomcat-6.0-doc/config/context.html But doing so makes your installation VERY insecure in a windows environment. (Since ACL's can be bypassed since most ACL rules are case sensitive) I performance is of no concern - you could go crazy and force all URL's to lower case (using a filter to 30X redirects) then your ACL rules can be "simplified". But even that idea might have some flaws in it. -Tim Alexander Diedler wrote: Hello, We have an Application based on IIS 6.0 and Tomcat 6.0.18. In this Application will be opened a PDF (href=start.PDF). In this PDF are many links to other documents, that will be opened in the browser. (KapA.PDF, KapB.PDF). Now the distributor deliver updatefiles with changing extensions or names. The link is KapA.PDF in the overview, but the file is called KapA.pdf on filesystem and Tomcat said 404 because “PDF” not equal “pdf”. Also it can be kapb.pdf in Overview and filesystem KAPB.PDF Is there are any option to disable case-sensitive on Tomcat or it is a “base-feature” of Java architecture? Greetings Alexander - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: Tomcat 6.0.18 access files case-insensitive
Alexander Diedler wrote: Hello, We have an Application based on IIS 6.0 and Tomcat 6.0.18. In this Application will be opened a PDF (href=start.PDF). In this PDF are many links to other documents, that will be opened in the browser. (KapA.PDF, KapB.PDF). Now the distributor deliver updatefiles with changing extensions or names. The link is KapA.PDF in the overview, but the file is called KapA.pdf on filesystem and Tomcat said 404 because "PDF" not equal "pdf". Also it can be kapb.pdf in Overview and filesystem KAPB.PDF Is there are any option to disable case-sensitive on Tomcat or it is a "base-feature" of Java architecture? It's not a "base feature" of either Java or Tomcat, it's a base feature of the OS. Windows filesystems are (relatively, see below) case-insensitive, Unix/Linux are absolutely case-sensitive. Since Java and Java applications are supposed to run on both, they have to choose. By default, Tomcat acts case-sensitive. You can disable that, but I would be very careful if I was you, because you may trigger a whole bunch of other problems, for instance with access security. The real problem here is the inconsistency of the original documents. You should tell your supplier to be consistent. Or else, you should filter the documents when you receive them, and replace the links by consistent ones. There exists PDF-handling softare that allows you to do that kind of thing. Or else, you should implement a servlet filter which takes care of these links in particular, and make sure that when /you/ write documents to your filesystem, you always write them in a consistent way. Even under Windows, you can /force/ filenames to be all lowercase on disk. Windows creates and stores filenames in the upper/lower case that you specify. It is just at retrieval time that Windows acts in a case-insensitive fashion. - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org