[prev in list] [next in list] [prev in thread] [next in thread]
List: tomcat-user
Subject: RE: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict exe's from downloading
From: "Scott,Tim" <Tim.Scott () oclc ! org>
Date: 2022-06-22 10:11:48
Message-ID: PH0PR06MB8064165E221E391018CFE5898CB29 () PH0PR06MB8064 ! namprd06 ! prod ! outlook ! com
[Download RAW message or body]
[Attachment #2 (text/plain)]
Hi all,
As a side note, can we all try not to have a URL with something like "abc.exe" in?
Several firewall implementations will refuse to navigate there, even though we all \
know the intention is not to have it download. Trying to explain that to some people \
is more difficult than avoiding the problem.
If it's just for a small number of people you know and that won't be a problem for \
them, then fine.
We use:
<servlet-mapping>
<servlet-name>cgi</servlet-name>
<url-pattern>/theApp.exe</url-pattern>
</servlet-mapping>
<welcome-file-list>
<!-- Use theApp as the default application -->
<welcome-file>theApp.exe</welcome-file>
</welcome-file-list>
This hides the "theApp.exe" from the browser so such firewalls never know / \
interfere.
Thanks,
Tim
From: Mark Thomas <markt@apache.org>
Sent: 22 June 2022 10:56
To: users@tomcat.apache.org
Subject: [External] Re: Apache Tomcat 8 - Require Tomcat configuration to restrict \
exe's from downloading
On 22/06/2022 10:37, bharath Kumar wrote:
> Hi team,
>
> Any help on this ?
>
> Further this exe(*abc.exe*) downloads when i hit on the url*
> http://server_name/abc.exe/ <http://server_name/abc.exe/> * and is
> happening only in *Tomcat *not with *IIS*.
>
>
> Tomcat :
> *http://<server_name:Port>/abc.exe* -- exe is not getting downloaded
> *http://<server_name:Port>/abc.exe/* -- exe is getting downloaded on
> the browser where we hit
>
>
> IIS:
>
> *http://<server_name:Port>/abc.exe/ - No issue*
> *http://<server_name:Port>/abc.exe - **No issue*
>
>
> My Intention is not to download the abc.exe ... I have a CGI
> application(abc.exe) that opens up my application
>
>
> Below is my web.xml configuration:
>
> <servlet-mapping>
> <servlet-name>abc</servlet-name>
> <url-pattern>/abc.exe</url-pattern>
> </servlet-mapping>
Change the mapping to /abc.exe/*
See section 12.2 of the Servlet specification for details.
Mark
>
>
> Can you please help how to stop downloading the CGI application(
> *http://<server_name:Port>/abc.exe/* ) from being downloading (I am trying
> to fix the CGI Vulnerability)
>
> Thanks,
> Bharath
>
> On Mon, Jun 20, 2022 at 4:42 PM Thomas Hoffmann (Speed4Trade GmbH)
> <Thomas.Hoffmann@speed4trade.com.invalid<mailto:Thomas.Hoffmann@speed4trade.com.invalid>> \
> wrote:
> > Hello,
> >
> > maybe this stackoverflow page helps already:
> >
> > https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-b \
> > ased-on-file-extension-via-whitelist<https://stackoverflow.com/questions/9862746/restrict-allow-file-access-in-tomcat-based-on-file-extension-via-whitelist>
> >
> > Your snippet of the web.xml is just a configuration if an unknown servlet.
> > If the corresponding servlet is custom, you need to get in touch with the
> > developer.
> >
> > Greetings,
> > Thomas
> >
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic