[Bug 64008] New: Tomcat ignores default web.xml and falls back to hard-coded defaults

bugzilla Tue, 17 Dec 2019 01:48:23 -0800

https://bz.apache.org/bugzilla/show_bug.cgi?id=64008


            Bug ID: 64008
           Summary: Tomcat ignores default web.xml and falls back to
                    hard-coded defaults
           Product: Tomcat 8
           Version: 8.5.50
          Hardware: PC
                OS: Windows NT
            Status: NEW
          Severity: normal
          Priority: P2
         Component: Catalina
          Assignee: [email protected]
          Reporter: [email protected]
  Target Milestone: ----

We use embedded Tomcat and deploy a web app programatically using the
addWebapp(Host, String, String, LifecycleListener) method.

The LifecycleListener is a ContextConfig that has a default web.xml configured
that should prevent the JSPServlet from being loaded.

Other than expected, it turns out that addWebapp actively ignores the
configured default web.xml and Tomcat instead loads statically hard-coded
default configuration that includes the JSPServlet and servlet mappings for it.

This behaviour led to a remote code execution vulnerability in one of our
products.


The code below shows how Tomcat is initialized.


final Tomcat tomcat;
// ...
final ContextConfig contextConfig = new ContextConfig();

contextConfig.setDefaultWebXml(getDefaultWebXml());

final Context ctx = tomcat.addWebapp
  (host, getContextPath(), getDocBaseDir(), (LifecycleListener)contextConfig);

// ...
tomcat.start();

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

[Bug 64008] New: Tomcat ignores default web.xml and falls back to hard-coded defaults

Reply via email to