Geronimo
  1. Geronimo
  2. GERONIMO-3837

allowLinking Tomcat atttibute in StandardContext not configurable through Geronimo

    Details

    • Type: Bug Bug
    • Status: Closed
    • Priority: Major Major
    • Resolution: Fixed
    • Affects Version/s: 2.0.2, 2.1, 2.2
    • Fix Version/s: 2.0.3, 2.1.1, 2.2
    • Component/s: Tomcat
    • Security Level: public (Regular issues)
    • Labels:
      None
    • Environment:

      G 2.0.2 Tomcat on Linux

      Description

      Tomcat provides an allowLinking attribute in the StandardContext which when set to true will enable tomcat running on Linux platform to serve paths associated with the symbolic links. Configuring this attribute through Geronimo is not possible currently. Link to a query posted on user-list is given below.
      http://www.mail-archive.com/user@geronimo.apache.org/msg08509.html

        Activity

        Show
        Vamsavardhana Reddy added a comment - Added doc at http://cwiki.apache.org/confluence/display/GMOxDEV/Configure+allowLinking+for+Tomcat+contexts
        Hide
        Joe Bohn added a comment -

        Vamsi,
        You added a comment on the 2.1.1 status page indicating you are awaiting a doc link from Hernan before you can close this. Is doc the only thing remaining to be done? Does Hernan know that you are waiting on him?

        Regarding making the configurable per application ... I think that if that is required it would make sense to be another JIRA.

        Thanks,
        Joe

        Show
        Joe Bohn added a comment - Vamsi, You added a comment on the 2.1.1 status page indicating you are awaiting a doc link from Hernan before you can close this. Is doc the only thing remaining to be done? Does Hernan know that you are waiting on him? Regarding making the configurable per application ... I think that if that is required it would make sense to be another JIRA. Thanks, Joe
        Hide
        Vamsavardhana Reddy added a comment -

        Is it desirable to make this configurable on a per application basis? If not, we are done and the JIRA can be closed.

        Show
        Vamsavardhana Reddy added a comment - Is it desirable to make this configurable on a per application basis? If not, we are done and the JIRA can be closed.
        Hide
        Donald Woods added a comment -

        Can this be closed now?
        Also, have you added details of this new option to the 2.1 Docs?

        Show
        Donald Woods added a comment - Can this be closed now? Also, have you added details of this new option to the 2.1 Docs?
        Hide
        Vamsavardhana Reddy added a comment -

        Completed: At revision: 620623 in trunk (2.2)
        Completed: At revision: 620626 in branches\2.1
        Completed: At revision: 620627 in branches\2.0

        o Enabling this attribute per server instance using a system property org.apache.geronimo.tomcat.GeronimoStandardContext.allowLinking

        Show
        Vamsavardhana Reddy added a comment - Completed: At revision: 620623 in trunk (2.2) Completed: At revision: 620626 in branches\2.1 Completed: At revision: 620627 in branches\2.0 o Enabling this attribute per server instance using a system property org.apache.geronimo.tomcat.GeronimoStandardContext.allowLinking
        Hide
        Vamsavardhana Reddy added a comment -

        http://tomcat.apache.org/tomcat-6.0-doc/config/context.html

        If the value of this flag is true, symlinks will be allowed inside the web application, pointing to resources outside the web application base path. If not specified, the default value of the flag is false.

        NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.

        Show
        Vamsavardhana Reddy added a comment - http://tomcat.apache.org/tomcat-6.0-doc/config/context.html If the value of this flag is true, symlinks will be allowed inside the web application, pointing to resources outside the web application base path. If not specified, the default value of the flag is false. NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.
        Hide
        Vamsavardhana Reddy added a comment -

        This allowLinking attribute can be enabled on a per application basis. However it would require a tomcat specific element in geronimo-web.xml. This would mean a schema change (argh... that hurts) and requires modifications to deployment code. We can provide enabling this attribute per server instance for G 2.0.x and G 2.1.x Tomcat servers using a system property org.apache.geronimo.tomcat.GeronimoStandardContext.allowLinking as it would require minimal changes to code and won't come in the way of compatibility. If there is a necessity to enable this attribute on a per application basis, then we can introduce an allow-linking element in geronimo-web.xml from G 2.2 which will override any default value set using the system property above.

        Any comments? Suggestions? Any pit falls that I am not seeing?

        Show
        Vamsavardhana Reddy added a comment - This allowLinking attribute can be enabled on a per application basis. However it would require a tomcat specific element in geronimo-web.xml. This would mean a schema change (argh... that hurts) and requires modifications to deployment code. We can provide enabling this attribute per server instance for G 2.0.x and G 2.1.x Tomcat servers using a system property org.apache.geronimo.tomcat.GeronimoStandardContext.allowLinking as it would require minimal changes to code and won't come in the way of compatibility. If there is a necessity to enable this attribute on a per application basis, then we can introduce an allow-linking element in geronimo-web.xml from G 2.2 which will override any default value set using the system property above. Any comments? Suggestions? Any pit falls that I am not seeing?

          People

          • Assignee:
            Vamsavardhana Reddy
            Reporter:
            Vamsavardhana Reddy
          • Votes:
            1 Vote for this issue
            Watchers:
            0 Start watching this issue

            Dates

            • Created:
              Updated:
              Resolved:

              Development