tomcat paths case sensitivity
Richard Meredith-Hardy
On a win2k3 r2 / iis6 / Tomcat 6 / Railo install, by default tomcat
will throw a 404 with the url
when the directory name is /subdir
I seem to be able to make it case-insensitive, which is what I want,
by adding caseSensitive=”false” to the context attribute in the host
attribute in server.xml
But in the Tomcat documentation it says:
============
caseSensitive
Deprecated. This option will be removed in Tomcat 7 onwards where the
default of true will always be used.
If the value of this flag is false, all case sensitivity checks will
be disabled. If not specified, the default value of the flag is true.
NOTE: This flag MUST NOT be set to false on the Windows platform (or
any other OS which does not have a case sensitive filesystem), as it
will disable case sensitivity checks, allowing JSP source code
disclosure, among other security problems.
==========
So does anyone know is this a bad thing with Railo too? (I don’t have
any other apps running in Tomcat).
Thanks
Richard
ps I sent this yesterday out of my normal email client but it doesn't
seem to have arrived. If it does, apologies in advance for the
duplicate post.
Richard Meredith-Hardy
Dear all
On a win2k3 r2 / iis6 / Tomcat / Railo install, by default tomcat will throw a 404 with the url
when the directory name is /subdir
I seem to be able to make it case-insensitive, which is what I want, by adding caseSensitive=”false” to the context attribute in the host attribute in server.xml
But in the Tomcat documentation it says:
============
caseSensitive
Deprecated. This option will be removed in Tomcat 7 onwards where the default of true will always be used.
If the value of this flag is false, all case sensitivity checks will be disabled. If not specified, the default value of the flag is true.
NOTE: This flag MUST NOT be set to false on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.
==========
So is this a bad thing with Railo too? (I don’t have any other apps running in Tomcat).
Thanks
Richard
Jordan Michaels
top of Tomcat. From what I know of the issue (I haven't been able to
find too much information on it, but honestly I haven't looked too
hard), it has to do with what resolves properly and what doesn't. So
Railo doesn't even factor into it.
It's best to just avoid the issue all together and use a standard naming
convention when you create your directories. The same goes for symbolic
links - just best to avoid them in Windows, but it's not an issue on Linux.
--
Warm regards,
Jordan Michaels
Vivio Technologies
http://www.viviotech.net/
Open BlueDragon Steering Committee
Railo Community Distributions
Richard Meredith-Hardy wrote:
> Dear all
>
> On a win2k3 r2 / iis6 / Tomcat 6 / Railo install, by default tomcat
> will throw a 404 with the url
>
> www.myDomain.com/SUBDIR
>
> when the directory name is /subdir
>
> I seem to be able to make it case-insensitive, which is what I want,
> by adding caseSensitive=�false� to the context attribute in the host
> attribute in server.xml
>
> But in the Tomcat documentation it says:
> ============
> caseSensitive
>
> Deprecated. This option will be removed in Tomcat 7 onwards where the
> default of true will always be used.
>
> If the value of this flag is false, all case sensitivity checks will
> be disabled. If not specified, the default value of the flag is true.
>
> NOTE: This flag MUST NOT be set to false on the Windows platform (or
> any other OS which does not have a case sensitive filesystem), as it
> will disable case sensitivity checks, allowing JSP source code
> disclosure, among other security problems.
> ==========
>
> So does anyone know is this a bad thing with Railo too? (I don�t have
Richard Meredith-Hardy
CF on windows and while I tend to use lowercase in urls I have 15
years worth of stuff which could have links in it in upper or mixed
case.
I understand caseSensitive="false" makes a way of seeing jsp source
code, but I've no jsp running in this tomcat instance, and it does fix
my problem by making tomcat paths case-insensitive, but I've no idea
if the dire warning in tomcat documentation means something in the
case of a Railo - on - tomcat install.
Does anyone know?
Regards
Richard
Jordan Michaels
similar. If a vulnerability exists when you enable a parameter on a
specific OS when JSP is processed, it's extremely logical to assume it
also exists when CFML is processed.
--
Warm regards,
Jordan Michaels
Vivio Technologies
http://www.viviotech.net/
Open BlueDragon Steering Committee
Railo Community Distributions
Richard Meredith-Hardy
Hmmm, OK. Perhaps I will disable it then.
Maybe something like UrlRewriteFilter might be an option to fix my
problem, make sure all paths are lower case and convert all incoming
URLs to lower case. I'll look at it.
On a slightly different subject, but seeing as my setup is your
standard (excellent) installer configuration, I was messing around
with it in an effort to put the WEB-INF folders elsewhere than in a
website's webroot as per http://groups.google.com/group/railo/msg/ece3b4e75a529783
but haven't managed to achieve anything like it.
I only would like to move them for the sake of ease of maintenance,
I'd prefer just to have my scripts in the webroot and not any OS
stuff.
Have you any tips on how I might achieve this?
Thanks
Richard
On Mar 2, 6:32 pm, Jordan Michaels <jor...@getrailo.org> wrote:
> The way CFML files work and the way JSP files work are extremely
> similar. If a vulnerability exists when you enable a parameter on a
> specific OS when JSP is processed, it's extremely logical to assume it
> also exists when CFML is processed.
>
> --
> Warm regards,
> Jordan Michaels
> Vivio Technologieshttp://www.viviotech.net/
> Open BlueDragon Steering Committee
> Railo Community Distributions
>
>
>
> Richard Meredith-Hardy wrote:
> > Of course the trouble is that I'm migrating a whole lot of stuff from
> > CF on windows and while I tend to use lowercase in urls I have 15
> > years worth of stuff which could have links in it in upper or mixed
> > case.
>
> > I understand caseSensitive="false" makes a way of seeing jsp source
> > code, but I've no jsp running in this tomcat instance, and it does fix
> > my problem by making tomcat paths case-insensitive, but I've no idea
> > if the dire warning in tomcat documentation means something in the
> > case of a Railo - on - tomcat install.
>
> > Does anyone know?
>
> > Regards
>
> > Richard- Hide quoted text -
>
> - Show quoted text -
Jordan Michaels
The CFMLServlet definition is set in the Tomcat default web.xml file,
located in c:\railo\tomcat\conf\web.xml by default. You'd need to update
it, restart Tomcat, and see what you get.
Hope this helps!
Stefan
for all files that contained caps, saved the hit list and then I used
a tool I do not remember the name of and renamed them to all
lowercase, then I actually made a cf app to search all my source code
for reference to those renamed files, making a lcase on the hits. Like
you I had far too many files to do manual work. I think a UrlRewrite
just postponing the problem, but maybe it suits your need. Tomcat is
not so good at that from what I remember, not as good as Resin in any
case (!).
I do not find the CF script I used though, but it just traversed
through the directories, read each cfm/cfc and made a reMatch for
logging and reReplaceNoCase to replace with LCase.
There might be smarter methods, but it worked for me. Unless you
fiddle around with advanced regexp you might end up changing case on
some of your variables if a file have the same name, but they are at
least cane insensitive.
On Mar 3, 12:39 pm, Richard Meredith-Hardy <r...@flymicro.com> wrote:
> Jordan
>
> Hmmm, OK. Perhaps I will disable it then.
>
> Maybe something like UrlRewriteFilter might be an option to fix my
> problem, make sure all paths are lower case and convert all incoming
> URLs to lower case. I'll look at it.
>
> On a slightly different subject, but seeing as my setup is your
> standard (excellent) installer configuration, I was messing around
> with it in an effort to put the WEB-INF folders elsewhere than in a
> website's webroot as perhttp://groups.google.com/group/railo/msg/ece3b4e75a529783
Richard Meredith-Hardy
Thanks. I'll probably end up having to do this at some stage (groan)
Regards
Richard
> > > > code, but I've no jsp running in thistomcatinstance, and it does fix
> > > > my problem by makingtomcatpaths case-insensitive, but I've no idea
> > > > if the dire warning intomcatdocumentation means something in the
> > > > case of a Railo - on -tomcatinstall.
>
> > > > Does anyone know?
>
> > > > Regards
>
> > > > Richard- Hide quoted text -
>
> > > - Show quoted text -- Hide quoted text -