-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
Someone asked this question on SO recently: https://stackoverflow.com/questions/53921375/tomcat-overriding-catalina- properties-from-commandline/53952396#53952396 TLDR: this person wants to set system properties in catalina.properties but be able to "override" those from the command-lin e. The fix would be trivial: just don't clobber the value of any existing system property in CatalinaProperties when copying the properties from the file to the live system properties. I'm wondering if anyone can think of any security issues with doing that. Presumably, if a user can launch Tomcat, they can set system properties. However, it's possible that a user might have the right to *launch* Tomcat, but not reconfigure it (e.g. read-only catalina.properties). That could easily be solved by using a catalina.properties-only setting like "catalina.properties.noclobber.system.properties=true" or something like that. What does everyone think? Thanks, - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAlwmPCQACgkQHPApP6U8 pFgmzRAAnIzALW5ugkGrQl9uHYBz/WrNXISiSc4aqCXzqzlmDAGENO4coRzTe88n 0uFWLVbjembgz78Cbs1+AdjuGxwpMhPb+mWysAB/Rq7iosr00eXOrV64prHjRhCU pV00Om943PuxegLFQ/O4WW5grWyUUUm7mWBbyadAbs6ZOspnozS9DJnCwxIwTQgz JY3kRhZq7+lEirtKBdjtbyaDdVn9BXy59wgXa4e6AQ7ESN41S3NM+9AMhFfTP9Ly 12s/Vb9WQa5hpQsJqVUVoHmDYSI3bQs++7LWTr3fIR7+829A8rTvYS4rxvWhUE3O dXZFHWU4ATU49kCHG0zHpsDBgU4bL611nsh2yJiVj0uGL/+DxjM0B8Z4Cf+XbltL wXaraK2oh1SQwo6NqzhW/b5MxzVr7aiX1fuM5hOEZfgbTROnTRnP/uEVVnh5q16v LPY0SSdJJhLcuxQR8m3ZaFaWik3kZ7SCAq3Mt/jFMjVvmhHQ13WWmrHtiDaYhd1l Eoi9iGS6AHTr66opoqSfYbviRT2fiRRnwmzXXuFX3U9X7gXhUp44CPqiNODtma22 xPNgDKyuWYByILGRigG/B+Wb3Y2cUTCcuSvI3H/l5PoPi35mR24bmJvC8EWkD1HF 5knfa/ZBoGx48YuXnzVUWe95JAnmNrnj/qcdZ4/1ljxd76jCEGQ= =qES3 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
