RE: getopts of Perl is not working Tomcat 9
Thank you for checking on this Chris The application is used by internal users only and is not available for all. So I believe it is fine to use it here. Regards Swathi -Original Message- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, November 16, 2020 7:30 PM To: users@tomcat.apache.org Subject: Re: getopts of Perl is not working Tomcat 9 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Swathi, On 11/16/20 06:47, Jonnalagadda, Swathi (External) wrote: > I didn’t realize that it could have its own web.xml. Enabling > enableCmdLineArguments helped. getOpts is working fine now Please note that it can be very easy to open security hole by allowing remote clients to specify command-line parameters on your server. Think very carefully about whether or not you want and/or need this feature. -chris > -Original Message- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, November 16, 2020 3:29 PM > To: Tomcat Users List > Subject: Re: getopts of Perl is not working Tomcat 9 > > CAUTION: This email originated from outside the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote: >> Hi Mark, >> >> Thank you for replying on this. >> >> Please find below servlet configuration >> >> >> cgi >> >> org.apache.catalina.servlets.CGIServlet >> >>cgiPathPrefix >>cgi-bin >>executable >>/usr/bin/perl >> >> 5 >> > > That configuration is not valid. I'm surprised Tomcat even starts with a > configuration like that. Enabling validation would catch that but I'll look > to see if there is more we can do. > >> >> cgi >> /cgi-bin/* >> >> >> The url we access is >> http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p > > Given a fixed version of the configuration above, getopts isn't going to work > because you haven't enabled command line arguments. > > See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html > Look for enableCmdLineArguments > > See also CVE-2019-0232 if you are running on Windows. > >> Please note that the cgi files are all under maskedapp/cgi-bin of webapps >> folder. >> >> Also I have observed that even if I don’t configure cgi servlet in web.xml, >> the server is executing the cgi file but it is not able to execute getops >> method. > > Then you have the CGI servlet (or the CGI filter) enabled in another > location. Check both the global and per web application web.xml file. > You'd normally only enable GCI in one location. > > Mark > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > - > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: getopts of Perl is not working Tomcat 9
Swathi, On 11/16/20 06:47, Jonnalagadda, Swathi (External) wrote: I didn’t realize that it could have its own web.xml. Enabling enableCmdLineArguments helped. getOpts is working fine now Please note that it can be very easy to open security hole by allowing remote clients to specify command-line parameters on your server. Think very carefully about whether or not you want and/or need this feature. -chris -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, November 16, 2020 3:29 PM To: Tomcat Users List Subject: Re: getopts of Perl is not working Tomcat 9 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote: Hi Mark, Thank you for replying on this. Please find below servlet configuration cgi org.apache.catalina.servlets.CGIServlet cgiPathPrefix cgi-bin executable /usr/bin/perl 5 That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do. cgi /cgi-bin/* The url we access is http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments. See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html Look for enableCmdLineArguments See also CVE-2019-0232 if you are running on Windows. Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder. Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method. Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file. You'd normally only enable GCI in one location. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: getopts of Perl is not working Tomcat 9
Thanks in tons Mark. I didn’t realize that it could have its own web.xml. Enabling enableCmdLineArguments helped. getOpts is working fine now Regards Swathi -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, November 16, 2020 3:29 PM To: Tomcat Users List Subject: Re: getopts of Perl is not working Tomcat 9 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote: > Hi Mark, > > Thank you for replying on this. > > Please find below servlet configuration > > > cgi > org.apache.catalina.servlets.CGIServlet > > cgiPathPrefix > cgi-bin > executable > /usr/bin/perl > > 5 > That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do. > > cgi > /cgi-bin/* > > > The url we access is > http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments. See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html Look for enableCmdLineArguments See also CVE-2019-0232 if you are running on Windows. > Please note that the cgi files are all under maskedapp/cgi-bin of webapps > folder. > > Also I have observed that even if I don’t configure cgi servlet in web.xml, > the server is executing the cgi file but it is not able to execute getops > method. Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file. You'd normally only enable GCI in one location. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: getopts of Perl is not working Tomcat 9
Thanks in tons Thomas. I didn’t realize that it could have its own web.xml. Enabling enableCmdLineArguments helped. getOpts is working fine now Regards Swathi -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Monday, November 16, 2020 3:29 PM To: Tomcat Users List Subject: Re: getopts of Perl is not working Tomcat 9 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote: > Hi Mark, > > Thank you for replying on this. > > Please find below servlet configuration > > > cgi > org.apache.catalina.servlets.CGIServlet > > cgiPathPrefix > cgi-bin > executable > /usr/bin/perl > > 5 > That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do. > > cgi > /cgi-bin/* > > > The url we access is > http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments. See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html Look for enableCmdLineArguments See also CVE-2019-0232 if you are running on Windows. > Please note that the cgi files are all under maskedapp/cgi-bin of webapps > folder. > > Also I have observed that even if I don’t configure cgi servlet in web.xml, > the server is executing the cgi file but it is not able to execute getops > method. Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file. You'd normally only enable GCI in one location. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
Re: getopts of Perl is not working Tomcat 9
On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote: > Hi Mark, > > Thank you for replying on this. > > Please find below servlet configuration > > > cgi > org.apache.catalina.servlets.CGIServlet > > cgiPathPrefix > cgi-bin > executable > /usr/bin/perl > > 5 > That configuration is not valid. I'm surprised Tomcat even starts with a configuration like that. Enabling validation would catch that but I'll look to see if there is more we can do. > > cgi > /cgi-bin/* > > > The url we access is > http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p Given a fixed version of the configuration above, getopts isn't going to work because you haven't enabled command line arguments. See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html Look for enableCmdLineArguments See also CVE-2019-0232 if you are running on Windows. > Please note that the cgi files are all under maskedapp/cgi-bin of webapps > folder. > > Also I have observed that even if I don’t configure cgi servlet in web.xml, > the server is executing the cgi file but it is not able to execute getops > method. Then you have the CGI servlet (or the CGI filter) enabled in another location. Check both the global and per web application web.xml file. You'd normally only enable GCI in one location. Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
RE: getopts of Perl is not working Tomcat 9
Hi Mark, Thank you for replying on this. Please find below servlet configuration cgi org.apache.catalina.servlets.CGIServlet cgiPathPrefix cgi-bin executable /usr/bin/perl 5 cgi /cgi-bin/* The url we access is http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p Please note that the cgi files are all under maskedapp/cgi-bin of webapps folder. Also I have observed that even if I don’t configure cgi servlet in web.xml, the server is executing the cgi file but it is not able to execute getops method. Thanks Swathi -Original Message- From: Mark Thomas [mailto:ma...@apache.org] Sent: Friday, November 13, 2020 6:51 PM To: users@tomcat.apache.org Subject: Re: getopts of Perl is not working Tomcat 9 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. On 13/11/2020 13:14, Jonnalagadda, Swathi (External) wrote: > Hi > > We have our web application implemented in Perl cgi which is using below > function of perl. we are upgrading from Tomcat 8.0.21 to Tomcat 9.0.38. > > The below function (getopts) is working fine Tomcat 8.0.21 but is not working > in Tomcat 9.0.38. We even tried Tomcat 9.0.39 as well and it is not working > even in 9.0.39. > > use Getopt::Std; > > getopts('ei:npXP'); > > Could you please suggest a solution here. How is the CGI servlet configured? What URL are you using to call the CGI servlet? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org<mailto:users-unsubscr...@tomcat.apache.org> For additional commands, e-mail: users-h...@tomcat.apache.org<mailto:users-h...@tomcat.apache.org>
Re: getopts of Perl is not working Tomcat 9
On 13/11/2020 13:14, Jonnalagadda, Swathi (External) wrote: > Hi > > We have our web application implemented in Perl cgi which is using below > function of perl. we are upgrading from Tomcat 8.0.21 to Tomcat 9.0.38. > > The below function (getopts) is working fine Tomcat 8.0.21 but is not working > in Tomcat 9.0.38. We even tried Tomcat 9.0.39 as well and it is not working > even in 9.0.39. > > use Getopt::Std; > > getopts('ei:npXP'); > > Could you please suggest a solution here. How is the CGI servlet configured? What URL are you using to call the CGI servlet? Mark - To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org