Tomcat and Railo need to be case insensitive for m

2019-08-01 20:04发布

问题:

I am migrating several large sites from ColdFusion, MS SQL and IIS to Railo, MySQL and Tomcat 7. The set up wasn't bad but there is a lot of old code that I will be re-writing where case was not always taken into consideration.

Although I am not sure why case sensitivity is such a security threat (coming from the MS world it's never been an issue) but I need to find a way to make Tomcat 7 and Railo find img/employee/greg.jpg when it is in the img/Employee/greg.jpg folder. The E in employee is causing half of the calls to fail.

Two questions:
How can I get it to be case insensitive and Why is case sensitivity such a security risk?

回答1:

Okay, so second question first:

Why is case sensitivity such a security risk?

Case sensitivity is not a security risk in itself. As per the comments in the other answer, the issue appears to be that it potentially bypasses security constraints on directories which have a particular name/case, specifically WEB-INF, (which potentially contains sensitivity code or config files).

If you attempt to access domain.com/WEB-INF Tomcat will block that, whilst it treats domain.com/Web-Inf as different, and might not block that (I haven't actually tested to see if this is the case).

However, this is not really an issue, since it Railo does not require you to have the WEB-INF directory inside the webroot - you can configure Railo to point to a different location and if that is outside the webroot then the issue is removed.

(disclaimer: this is based on available information; there might be more to it than this, but it is your responsibility to perform security scans / penetration tests against any publicly accessible websites.)


How to solve the case sensitivity problem?

There are a number of options here...

Consider another servlet engine instead of Tomcat, such as Jetty.

Whilst the same applies for Jetty as for Tomcat, Jetty's aliases option (in {jetty}/etc/webdefault.xml) is not deprecated (like Tomcat's case sensitive switch is), and in brief tests it appears to block access to all case variants of web-inf just fine.

There may well be other servlet engines that have similar options that are acceptable to use (e.g. Resin

You don't need to remove your web server when using Railo with Tomcat.

Whilst you can use Tomcat's Coyote web server, you are not required to, and putting (for example) Apache httpd, Nginx, or IIS7 in front can give you more flexibility - and specifically it allows you to make static resources case insensitive.

I say this because the example you give is an image file, so it doesn't need to go to the servlet engine or Railo - if it's only static files which are the issue (entirely possible if all requests go through index.cfm) then simply configuring a web server to be case insensitive is a simple way to solve this, without Tomcat/Railo being in the picture.

Fix the files to use a consistent case, the use URL re-writing to redirect requests.

For example, spider your site whilst logging 404 errors - this will give you a list of case mismatches.

Once you have this, create a simple script to rename all these files to lowercase, and generate a series of rewrite rules so that requested files are redirected to the lowercase variant.

For example using mod_rewrite syntax:

# If file exists, don't rewrite it (and stop processing further rules)
RewriteCond ${REQUEST_URI}  !f
RewriteRule .* - [L]

# Requested file doesn't exist, so redirect to lowercase version
RewriteRule (?i)img/employee/greg.jpg img/employee/greg.jpg [L,R=301]
RewriteRule (?i)img/employee/bert.jpg img/employee/bert.jpg [L,R=301]
RewriteRule (?i)whatever.else whatever.else [L,R=301]

The first rule ensures that files that exist aren't needlessly checked (the L flag says stop looking for further redirects), whilst the (?i) will perform a case-insensitive match and do a 301 redirect to the correct file.

This solves the immediate problem, and over time you can gradually update the code to use consistent cases until the redirects are no longer needed.

The rewrite syntax with vary depending on what you use for the web server - there are options for all of them, but some are more mature/integrated than others.



回答2:

in your railo\etc\webdefault.xml file change aliases to be true. This makes your applicate NOT case sensitive

<init-param>
  <param-name>aliases</param-name>
  <param-value>true</param-value>
</init-param>

As far as why is case-insensitivity a security risk - I would say in this context it's not. If you had stored passwords and they were not case sensitive that would be an issue (aside from them not being hashed), but I don't see why this would be a security risk.