This is an automated email from the ASF dual-hosted git repository.
markt pushed a commit to branch 10.1.x
in repository https://gitbox.apache.org/repos/asf/tomcat.git
The following commit(s) were added to refs/heads/10.1.x by this push:
new 88740f80b4 Expand security guidance to cover embedded usage
88740f80b4 is described below
commit 88740f80b4f8fc0e7febdba0b70d7f73d959baf3
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Mon Jun 12 15:54:28 2023 +0100
Expand security guidance to cover embedded usage
---
webapps/docs/changelog.xml | 9 +++++++++
webapps/docs/security-howto.xml | 30 ++++++++++++++++++++++++++++++
2 files changed, 39 insertions(+)
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index d013c64e19..dda15a61fc 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -132,6 +132,15 @@
</fix>
</changelog>
</subsection>
+ <subsection name="Web applications">
+ <changelog>
+ <add>
+ Documentation. Expand the security guidance to cover the embedded use
+ case and add notes on the uses made of the <code>java.io.tmpdir</code>
+ system property. (markt)
+ </add>
+ </changelog>
+ </subsection>
</section>
<section name="Tomcat 10.1.10 (schultz)" rtext="release in progress">
<subsection name="Catalina">
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index ffbc5bc7e6..bccda48abe 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -406,6 +406,13 @@
<code>/*</code>. It should also be noted the RFC6265 section 8.5 makes it
clear that different paths should not be considered sufficient to isolate
cookies from other applications.</p>
+
+ <p>When <strong>antiResourceLocking</strong> is enabled, Tomcat will copy
+ the unpacked web application to the directory defined by the
+ <code>java.io.tmpdir</code> system property
+ (<code>$CATALINA_BASE/temp</code> by default). This location should be
+ secured with appropriate file permissions - typically read/write for the
+ Tomcat user and no access for other users.</p>
</subsection>
<subsection name="Valves">
@@ -552,6 +559,23 @@
to be co-ordinated with any headers that the reverse proxy sets.</p>
</section>
+ <section name="Embedded Tomcat">
+ <p>When using embedded Tomcat, the typical defaults provided by the
scripts,
+ server.xml and other configuration are not set. Users of embedded Tomcat
may
+ wish to consider the following:</p>
+ <ul>
+ <li>The listeners normally configured in server.xml, including
+ <code>org.apache.catalina.security.SecurityListener</code>, will not be
+ configured by default. They must be explicitly enabled if required.</li>
+ <li>The <code>java.io.tmpdir</code> will not be set (it is normally set
to
+ <code>$CATALINA_BASE/temp</code>). This directory is used for various
+ temporary files that may be security sensitive including file uploads and
+ a copy of the web application if anti-resource locking is enabled.
+ Consider setting the <code>java.io.tmpdir</code> system property to an
+ appropriately secured directory.</li>
+ </ul>
+ </section>
+
<section name="General">
<p>BASIC and FORM authentication pass user names and passwords in clear
text. Web applications using these authentication mechanisms with clients
@@ -562,6 +586,12 @@
level of protection as the password itself. This usually means
authenticating over SSL and continuing to use SSL until the session
ends.</p>
+
+ <p>Tomcat's implementation of the Servlet API's file upload support may use
+ the directory defined by the <code>java.io.tmpdir</code> system property
+ (<code>$CATALINA_BASE/temp</code> by default) to store temporary files.
This
+ location should be secured with appropriate file permissions - typically
+ read/write for the Tomcat user and no access for other users.</p>
</section>
</body>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
