Thank you for checking on this Chris The application is used by internal users only and is not available for all. So I believe it is fine to use it here.
Regards Swathi -----Original Message----- From: Christopher Schultz [mailto:ch...@christopherschultz.net] Sent: Monday, November 16, 2020 7:30 PM To: users@tomcat.apache.org Subject: Re: getopts of Perl is not working Tomcat 9 CAUTION: This email originated from outside the organization. Do not click links or open attachments unless you recognize the sender and know the content is safe. Swathi, On 11/16/20 06:47, Jonnalagadda, Swathi (External) wrote: > I didn’t realize that it could have its own web.xml. Enabling > enableCmdLineArguments helped. getOpts is working fine now Please note that it can be very easy to open security hole by allowing remote clients to specify command-line parameters on your server. Think very carefully about whether or not you want and/or need this feature. -chris > -----Original Message----- > From: Mark Thomas [mailto:ma...@apache.org] > Sent: Monday, November 16, 2020 3:29 PM > To: Tomcat Users List > Subject: Re: getopts of Perl is not working Tomcat 9 > > CAUTION: This email originated from outside the organization. Do not click > links or open attachments unless you recognize the sender and know the > content is safe. > > On 16/11/2020 06:21, Jonnalagadda, Swathi (External) wrote: >> Hi Mark, >> >> Thank you for replying on this. >> >> Please find below servlet configuration >> >> <servlet> >> <servlet-name>cgi</servlet-name> >> >> <servlet-class>org.apache.catalina.servlets.CGIServlet</servlet-class> >> <init-param> >> <param-name>cgiPathPrefix</param-name> >> <param-value>cgi-bin</param-value> >> <param-name>executable</param-name> >> <param-value>/usr/bin/perl</param-value> >> </init-param> >> <load-on-startup>5</load-on-startup> >> </servlet> > > That configuration is not valid. I'm surprised Tomcat even starts with a > configuration like that. Enabling validation would catch that but I'll look > to see if there is more we can do. > >> <servlet-mapping> >> <servlet-name>cgi</servlet-name> >> <url-pattern>/cgi-bin/*</url-pattern> >> </servlet-mapping> >> >> The url we access is >> http://maskedforsecurity:port/maskedapp/cgi-bin/register.cgi?-p > > Given a fixed version of the configuration above, getopts isn't going to work > because you haven't enabled command line arguments. > > See http://tomcat.apache.org/tomcat-9.0-doc/cgi-howto.html > Look for enableCmdLineArguments > > See also CVE-2019-0232 if you are running on Windows. > >> Please note that the cgi files are all under maskedapp/cgi-bin of webapps >> folder. >> >> Also I have observed that even if I don’t configure cgi servlet in web.xml, >> the server is executing the cgi file but it is not able to execute getops >> method. > > Then you have the CGI servlet (or the CGI filter) enabled in another > location. Check both the global and per web application web.xml file. > You'd normally only enable GCI in one location. > > Mark > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
