Summary: | CGIServlet adds too much to the SCRIPT_NAME environment variable if script followed by extra path | ||
---|---|---|---|
Product: | Tomcat 9 | Reporter: | jm009 <jan0michael> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | P2 | ||
Version: | 9.0.0.M21 | ||
Target Milestone: | ----- | ||
Hardware: | PC | ||
OS: | Linux |
Description
jm009
2017-06-19 21:53:51 UTC
Hmm. The CGI servlet isn't designed to be mapped that way. I'm a little surprised it even worked. The docs aren't clear on what is expected to work and what isn't. The script finding logic appears depend on what sort of mapping is used. The new getHttpServletMapping() in Servlet 4.0 may enable a wider range of mappings to be supported. I need to dig into this some more. At the moment, the minimum I anticipate doing is: - documented which mapping styles are supported and which are not - updating the checks in 9.0.x (and 8.5.x since the Servlet 4.0 functionality is back-ported) to reject requests using unsupported mapping types. At best, I'll add support for all mapping types and document each. That turned out much better than I expected. The fix was simple and did not need to depend on the new Servlet 4.0 features. Best of all, it used LESS code. Fixed in: - trunk for 9.0.0.M22 onwards - 8.5.x for 8.5.16 onwards - 8.0.x for 8.0.45 onwards - 7.0.x for 7.0.79 onwards It seems, that the fix disables calling http://127.0.0.1:8086/nextcloud/test2.sh/login It gives: HTTP Status [404] – [Not Found] Type Status Report Description The origin server did not find a current representation for the target resource or is not willing to disclose that one exists. Sorry, it works. I had changed my web.xml. What does not work is <servlet-mapping> <servlet-name>test-cgi</servlet-name> <url-pattern>/test2.sh/*</url-pattern> </servlet-mapping> This would be usefull for nextcloud. For demo see demo.nextcloud.com It uses virtual paths like /login /apps/files /apps/activity /apps/gallery (At least I think they are virtual, because there is no index.php in the /apps/files, /apps/activity and /apps/gallery subdirectories. And there is no /login subdirectory.) In lib/base.php in function handleRequest() there are checks like if ($requestPath === '/heartbeat') { if ($requestPath === '/disableapp' && $request->getMethod() === 'POST' && ((array)$request->getParam('appid')) !== '' ) { I'll see if I can get it to work otherwise. The sqwebmail-servlet even puts some arbitrary long numbers in the path part of the URL. |