Hi Chris,

thanks for your explanation! I understand that cgis are not a vital 
component of tomcat and are subject to restrictions. But you sparked
my courisity ;-) I dug into CGIServlet and I would like to suggest a 
simple addition:

<----snip
*** 
apache-tomcat-9.0.117-src/java/org/apache/catalina/servlets/CGIServlet.javaMon 
Mar 30 20:21:16 2026
--- CGIServlet.java     Mon Apr 13 21:42:19 2026
***************
*** 812,817 ****
--- 812,818 ----
                  cgiPath.append(cgiPathPrefix);
              }
              urlPath.append(servletPath);
+             cgiScript = resources.getResource(cgiPath.toString());

              StringTokenizer pathWalker = new StringTokenizer(pathInfo, "/");
<----snip

Suffixes matching a directory still yield 404 (or can be explicitly mapped for
api path like calls). 

In fact this is a bit safer than the current behavior as the currently (unless 
you
have the option to move all scripts into a subtree) would be having to register 
each
script individually in web.xml. The suggested patch also catches forgotten 
files.

Christopher Schultz wrote (at 2026-04-10 09:26 -0400):
> Holger,
> 
> On 4/10/26 8:39 AM, Holger Klawitter wrote:
> > I have made a strange observation with the cgi servlet (enabled in
> > local web.xml) using tomcat 9.0.117 (also *.111):
> > 
> > when I use a subdirectory as a url pattern, everything works fine,
> > but when I use a file suffix pattern, the scripts are not being found and
> > I am getting 404.
> > 
> >      <servlet>
> >          <servlet-name>cgi</servlet-name>
> >          
> > <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
> >          <load-on-startup>5</load-on-startup>
> >          <init-param>
> >            <param-name>executable</param-name>
> >            <param-value>/usr/bin/python3</param-value>
> >          </init-param>
> >      </servlet>
> > 
> >      <servlet-mapping>
> >        <servlet-name>cgi</servlet-name>
> >        <url-pattern>/bin/*</url-pattern><!-- works -->
> >        <url-pattern>*.py</url-pattern><!-- does not work -->
> >      </servlet-mapping>
> > 
> > * Priviledged is enabled
> > * no cgiPathPrefix is set.
> > * I tried with and without the executable init-param
> > * python is there and the script exists in ./simple.py and bin/simple.py
> > 
> > What's wrong here?
> > 
> > I can provide a minimal war file if needed.
> 
> The CGIServlet requires a path-mapping and won't work with an extension
> mapping. It's non-trivial to make an extension mapping work, and typically
> in a web application all CGIs are rooted in the same place, anyway.
> 
> So you'll need to use a path-mapping.
> 
> -chris
> 
> 

---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to