Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading

Wed, 22 Jun 2022 02:56:00 -0700 

On 22/06/2022 10:37, bharath Kumar wrote:

Hi team,

Any help on this ?

Further this exe(*abc.exe*) downloads when i hit on the url*
http://server_name/abc.exe/ <http://server_name/abc.exe/>   * and is
happening only in *Tomcat *not with *IIS*.


Tomcat :
*http://<server_name:Port>/abc.exe*      -- exe is not getting downloaded
*http://<server_name:Port>/abc.exe/*    -- exe is getting downloaded on
the browser where we hit


IIS:

*http://<server_name:Port>/abc.exe/   - No issue*
*http://<server_name:Port>/abc.exe    - **No issue*


My Intention is not to download the abc.exe ...     I have a CGI
application(abc.exe) that opens up my application


Below is my web.xml configuration:

<servlet-mapping>
       <servlet-name>abc</servlet-name>
      <url-pattern>/abc.exe</url-pattern>
</servlet-mapping>


Change the mapping to /abc.exe/*

See section 12.2 of the Servlet specification for details.

Mark






Can you please help how to stop downloading the CGI application(
*http://<server_name:Port>/abc.exe/* ) from being downloading (I am trying
to fix the CGI Vulnerability)

Thanks,
Bharath

On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
<thomas.hoffm...@speed4trade.com.invalid> wrote:


Hello,

maybe this stackoverflow page helps already:

https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist

Your snippet of the web.xml is just a configuration if an unknown servlet.
If the corresponding servlet is custom, you need to get in touch with the
developer.

Greetings,
Thomas


-----Ursprüngliche Nachricht-----
Von: bharath Kumar <bharathkris...@gmail.com>
Gesendet: Montag, 20. Juni 2022 12:43
An: Tomcat Users List <users@tomcat.apache.org>
Betreff: Re: Apache Tomcat 8 - Require Tomcat configuration to restrict

exe's

from downloading

Sure Olaf will update it

On Mon, Jun 20, 2022 at 3:33 PM Olaf Kock <tom...@olafkock.de> wrote:



On 20.06.22 11:51, bharath Kumar wrote:

Hi Team,

I am using apache Tomcat 8 version,

*Problem statement: *

My application's accessible  URL format is
*http://<server_name>/abc/xyz.exe*


A good way to get the question answered would be to answer the
comments on your identical Stackoverflow post

https://stackoverflow.com/q/72658556/13447

If someone is asking for clarification, that's typically because they
need more information and it typically doesn't help asking elsewhere
without providing that additional information. And abandoning the
original place isn't too helpful as well.

Also: Please don't crosspost without referencing all places where you
posted - otherwise you're just generating duplicate work as nobody
knows what has already been discussed elsewhere.

Thank you,

Olaf



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org




---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org





---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org

Reply via email to