Holger,

On 4/13/26 4:02 PM, Holger Klawitter wrote:
thanks for your explanation! I understand that cgis are not a vital
component of tomcat and are subject to restrictions. But you sparked
my courisity ;-) I dug into CGIServlet and I would like to suggest a
simple addition:

<----snip
*** 
apache-tomcat-9.0.117-src/java/org/apache/catalina/servlets/CGIServlet.javaMon 
Mar 30 20:21:16 2026
--- CGIServlet.java     Mon Apr 13 21:42:19 2026
***************
*** 812,817 ****
--- 812,818 ----
                   cgiPath.append(cgiPathPrefix);
               }
               urlPath.append(servletPath);
+             cgiScript = resources.getResource(cgiPath.toString());

               StringTokenizer pathWalker = new StringTokenizer(pathInfo, "/");
<----snip

Suffixes matching a directory still yield 404 (or can be explicitly mapped for
api path like calls).

This is an interesting suggestion. It looks like there aren't many unit tests for mapping CGIServlet requests to files. It would be very helpful to have such tests to verify the behavior before and after this proposed patch.

In fact this is a bit safer than the current behavior as the currently (unless 
you
have the option to move all scripts into a subtree) would be having to register 
each
script individually in web.xml. The suggested patch also catches forgotten 
files.

There is no need to map each file individually. You just need to use a prefix map.

-chris

Christopher Schultz wrote (at 2026-04-10 09:26 -0400):
Holger,

On 4/10/26 8:39 AM, Holger Klawitter wrote:
I have made a strange observation with the cgi servlet (enabled in
local web.xml) using tomcat 9.0.117 (also *.111):

when I use a subdirectory as a url pattern, everything works fine,
but when I use a file suffix pattern, the scripts are not being found and
I am getting 404.

      <servlet>
          <servlet-name>cgi</servlet-name>
          <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class>
          <load-on-startup>5</load-on-startup>
          <init-param>
            <param-name>executable</param-name>
            <param-value>/usr/bin/python3</param-value>
          </init-param>
      </servlet>

      <servlet-mapping>
        <servlet-name>cgi</servlet-name>
        <url-pattern>/bin/*</url-pattern><!-- works -->
        <url-pattern>*.py</url-pattern><!-- does not work -->
      </servlet-mapping>

* Priviledged is enabled
* no cgiPathPrefix is set.
* I tried with and without the executable init-param
* python is there and the script exists in ./simple.py and bin/simple.py

What's wrong here?

I can provide a minimal war file if needed.

The CGIServlet requires a path-mapping and won't work with an extension
mapping. It's non-trivial to make an extension mapping work, and typically
in a web application all CGIs are rooted in the same place, anyway.

So you'll need to use a path-mapping.

-chris




---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

Reply via email to