Bug 64008

Summary: Tomcat ignores default web.xml and falls back to hard-coded defaults
Product: Tomcat 8 Reporter: emergency.shower
Component: CatalinaAssignee: Tomcat Developers Mailing List <dev>
Status: RESOLVED FIXED    
Severity: normal    
Priority: P2    
Version: 8.5.50   
Target Milestone: ----   
Hardware: PC   
OS: Windows NT   

Description emergency.shower 2019-12-17 09:47:57 UTC
We use embedded Tomcat and deploy a web app programatically using the addWebapp(Host, String, String, LifecycleListener) method.

The LifecycleListener is a ContextConfig that has a default web.xml configured that should prevent the JSPServlet from being loaded.

Other than expected, it turns out that addWebapp actively ignores the configured default web.xml and Tomcat instead loads statically hard-coded default configuration that includes the JSPServlet and servlet mappings for it.

This behaviour led to a remote code execution vulnerability in one of our products.


The code below shows how Tomcat is initialized.


final Tomcat tomcat;
// ...
final ContextConfig contextConfig = new ContextConfig();

contextConfig.setDefaultWebXml(getDefaultWebXml());

final Context ctx = tomcat.addWebapp
  (host, getContextPath(), getDocBaseDir(), (LifecycleListener)contextConfig);

// ...
tomcat.start();
Comment 1 Remy Maucherat 2019-12-17 10:16:08 UTC
*** Bug 64009 has been marked as a duplicate of this bug. ***
Comment 2 Mark Thomas 2019-12-17 10:19:37 UTC
The class level Javadoc does document that the various addWebapp methods configure the Default Servlet, JSP servlet etc. The LifecycleListener in #addWebapp(Host, String, String, LifecycleListener) is intended for additional configuration rather than as a complete replacement.

I'll go through the Javadoc and try and make this clearer.
Comment 3 emergency.shower 2019-12-17 10:37:35 UTC
https://bz.apache.org/bugzilla/show_bug.cgi?id=62755 seems to be a related issue.

It seems that the provided fix did not make it into the Tomcat codebase.
Comment 4 emergency.shower 2019-12-17 11:03:51 UTC
(In reply to Mark Thomas from comment #2)
> The class level Javadoc does document that the various addWebapp methods
> configure the Default Servlet, JSP servlet etc. The LifecycleListener in
> #addWebapp(Host, String, String, LifecycleListener) is intended for
> additional configuration rather than as a complete replacement.
> 
> I'll go through the Javadoc and try and make this clearer.

Is there a documented way to safely deploy a web app in embedded Tomcat without having the JspServlet added?

I've tried to override classes, but a mixture of static and private methods prevented me from getting a clean implementation.
Comment 5 Mark Thomas 2019-12-17 20:49:14 UTC
Javadoc updated in:
- master for 9.0.31 onwards
- 8.5.x for 8.5.51 onwards
- 7.0.x for 7.0.100 onwards

I also back-ported the enhancement in 62755 to 8.5.x and 7.0.x.

With the current API in 8.5.x, if you don't want the JSP servlet then one option is to use addContext() and configure everything manually. Further help and advice is available via the users mailing list if required.