| <?xml version="1.0" encoding="UTF-8"?> |
| <!-- |
| Licensed to the Apache Software Foundation (ASF) under one or more |
| contributor license agreements. See the NOTICE file distributed with |
| this work for additional information regarding copyright ownership. |
| The ASF licenses this file to You under the Apache License, Version 2.0 |
| (the "License"); you may not use this file except in compliance with |
| the License. You may obtain a copy of the License at |
| |
| http://www.apache.org/licenses/LICENSE-2.0 |
| |
| Unless required by applicable law or agreed to in writing, software |
| distributed under the License is distributed on an "AS IS" BASIS, |
| WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied. |
| See the License for the specific language governing permissions and |
| limitations under the License. |
| --> |
| <!DOCTYPE document [ |
| <!ENTITY project SYSTEM "project.xml"> |
| ]> |
| <document url="cgi-howto.html"> |
| |
| &project; |
| |
| <properties> |
| <title>CGI How To</title> |
| </properties> |
| |
| <body> |
| |
| <section name="Table of Contents"> |
| <toc/> |
| </section> |
| |
| <section name="Introduction"> |
| |
| <p>The CGI (Common Gateway Interface) defines a way for a web server to |
| interact with external content-generating programs, which are often |
| referred to as CGI programs or CGI scripts. |
| </p> |
| |
| <p>Within Tomcat, CGI support can be added when you are using Tomcat as your |
| HTTP server and require CGI support. Typically this is done |
| during development when you don't want to run a web server like |
| Apache httpd. |
| Tomcat's CGI support is largely compatible with Apache httpd's, |
| but there are some limitations (e.g., only one cgi-bin directory). |
| </p> |
| |
| <p>CGI support is implemented using the servlet class |
| <code>org.apache.catalina.servlets.CGIServlet</code>. Traditionally, |
| this servlet is mapped to the URL pattern "/cgi-bin/*".</p> |
| |
| <p>By default CGI support is disabled in Tomcat.</p> |
| </section> |
| |
| <section name="Installation"> |
| |
| <p><strong>CAUTION</strong> - CGI scripts are used to execute programs |
| external to the Tomcat JVM. If you are using the Java SecurityManager this |
| will bypass your security policy configuration in <code>catalina.policy.</code></p> |
| |
| <p>To enable CGI support:</p> |
| |
| <ol> |
| <li><p>There are commented-out sample servlet and servlet-mapping elements for |
| CGI servlet in the default <code>$CATALINA_BASE/conf/web.xml</code> file. |
| To enable CGI support in your web application, copy that servlet and |
| servlet-mapping declarations into <code>WEB-INF/web.xml</code> file of your |
| web application.</p> |
| |
| <p>Uncommenting the servlet and servlet-mapping in |
| <code>$CATALINA_BASE/conf/web.xml</code> file enables CGI for all installed |
| web applications at once.</p> |
| </li> |
| |
| <li><p>Set <code>privileged="true"</code> on the Context element for your |
| web application.</p> |
| |
| <p>Only Contexts which are marked as privileged are allowed to use the |
| CGI servlet. Note that modifying the global <code>$CATALINA_BASE/conf/context.xml</code> |
| file affects all web applications. See |
| <a href="config/context.html">Context documentation</a> for details.</p> |
| </li> |
| </ol> |
| |
| </section> |
| |
| <section name="Configuration"> |
| |
| <p>There are several servlet init parameters which can be used to |
| configure the behaviour of the CGI servlet.</p> |
| <ul> |
| <li><strong>cgiMethods</strong> - Comma separated list of HTTP methods. Requests |
| using one of these methods will be passed to the CGI script for the script to |
| generate the response. The default value is <code>GET,POST</code>. Use |
| <code>*</code> for the script to handle all requests regardless of method. |
| Unless over-ridden by the configuration of this parameter, requests using HEAD, |
| OPTIONS or TRACE will have handled by the superclass.</li> |
| <li><strong>cgiPathPrefix</strong> - The CGI search path will start at |
| the web application root directory + File.separator + this prefix. |
| By default there is no value, which results in the web application root |
| directory being used as the search path. The recommended value is |
| <code>WEB-INF/cgi</code></li> |
| <li><strong>cmdLineArgumentsDecoded</strong> - If command line arguments |
| are enabled (via <strong>enableCmdLineArguments</strong>) and Tomcat is running |
| on Windows then each individual decoded command line argument must match this |
| pattern else the request will be rejected. This is to protect against known |
| issues passing command line arguments from Java to Windows. These issues can |
| lead to remote code execution. For more information on these issues see |
| <a href="https://codewhitesec.blogspot.com/2016/02/java-and-command-line-injections-in-windows.html">Markus |
| Wulftange's blog</a> and this archived |
| <a href="https://web.archive.org/web/20161228144344/https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/23/everyone-quotes-command-line-arguments-the-wrong-way/">blog |
| by Daniel Colascione</a>.</li> |
| <li><strong>cmdLineArgumentsEncoded</strong> - If command line arguments |
| are enabled (via <strong>enableCmdLineArguments</strong>) individual encoded |
| command line argument must match this pattern else the request will be rejected. |
| The default matches the allowed values defined by RFC3875 and is |
| <code>[a-zA-Z0-9\Q%;/?:@&,$-_.!~*'()\E]+</code></li> |
| <li><strong>enableCmdLineArguments</strong> - Are command line arguments |
| generated from the query string as per section 4.4 of 3875 RFC? The default is |
| <code>false</code>.</li> |
| <li><strong>environment-variable-</strong> - An environment to be set for the |
| execution environment of the CGI script. The name of variable is taken from the |
| parameter name. To configure an environment variable named FOO, configure a |
| parameter named environment-variable-FOO. The parameter value is used as the |
| environment variable value. The default is no environment variables.</li> |
| <li><strong>executable</strong> - The name of the executable to be used to |
| run the script. You may explicitly set this parameter to be an empty string |
| if your script is itself executable (e.g. an exe file). Default is |
| <code>perl</code>.</li> |
| <li><strong>executable-arg-1</strong>, <strong>executable-arg-2</strong>, |
| and so on - additional arguments for the executable. These precede the |
| CGI script name. By default there are no additional arguments.</li> |
| <li><strong>envHttpHeaders</strong> - A regular expression used to select the |
| HTTP headers passed to the CGI process as environment variables. Note that |
| headers are converted to upper case before matching and that the entire header |
| name must match the pattern. Default is |
| <code>ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT</code> |
| </li> |
| <li><strong>parameterEncoding</strong> - Name of the parameter encoding |
| to be used with the CGI servlet. Default is |
| <code>System.getProperty("file.encoding","UTF-8")</code>. That is the system |
| default encoding, or UTF-8 if that system property is not available.</li> |
| <li><strong>passShellEnvironment</strong> - Should the shell environment |
| variables from Tomcat process (if any) be passed to the CGI script? Default is |
| <code>false</code>.</li> |
| <li><strong>stderrTimeout</strong> - The time (in milliseconds) to wait for |
| the reading of stderr to complete before terminating the CGI process. Default |
| is <code>2000</code>.</li> |
| </ul> |
| |
| <p>The CGI script executed depends on the configuration of the CGI Servlet and |
| how the request is mapped to the CGI Servlet. The CGI search path starts at the |
| web application root directory + File.separator + cgiPathPrefix. The |
| <strong>pathInfo</strong> is then searched unless it is <code>null</code> - in |
| which case the <strong>servletPath</strong> is searched.</p> |
| |
| <p>The search starts with the first path segment and expands one path segment |
| at a time until no path segments are left (resulting in a 404) or a script is |
| found. Any remaining path segments are passed to the script in the |
| <strong>PATH_INFO</strong> environment variable.</p> |
| |
| </section> |
| |
| </body> |
| |
| </document> |