https://bz.apache.org/bugzilla/show_bug.cgi?id=64008
Bug ID: 64008
Summary: Tomcat ignores default web.xml and falls back to
hard-coded defaults
Product: Tomcat 8
Version: 8.5.50
Hardware: PC
OS: Windows NT
Status: NEW
Severity: normal
Priority: P2
Component: Catalina
Assignee: dev@tomcat.apache.org
Reporter: emergency.sho...@gmail.com
Target Milestone: ----
We use embedded Tomcat and deploy a web app programatically using the
addWebapp(Host, String, String, LifecycleListener) method.
The LifecycleListener is a ContextConfig that has a default web.xml configured
that should prevent the JSPServlet from being loaded.
Other than expected, it turns out that addWebapp actively ignores the
configured default web.xml and Tomcat instead loads statically hard-coded
default configuration that includes the JSPServlet and servlet mappings for it.
This behaviour led to a remote code execution vulnerability in one of our
products.
The code below shows how Tomcat is initialized.
final Tomcat tomcat;
// ...
final ContextConfig contextConfig = new ContextConfig();
contextConfig.setDefaultWebXml(getDefaultWebXml());
final Context ctx = tomcat.addWebapp
(host, getContextPath(), getDocBaseDir(), (LifecycleListener)contextConfig);
// ...
tomcat.start();
--
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
