Bug 1125375 - The servlet mapping with url pattern as <url-pattern>/static/*</url-pattern> does not work when mapped to Tomcat default servlet org.apache.catalina.servlets.DefaultServlet and access /context/static/ cause HTTP 404 error
Summary: The servlet mapping with url pattern as <url-pattern>/static/*</url-pattern> ...
Keywords:
Status: CLOSED WORKSFORME
Alias: None
Product: Red Hat Enterprise Linux 6
Classification: Red Hat
Component: tomcat6
Version: 6.5
Hardware: Unspecified
OS: Unspecified
high
unspecified
Target Milestone: rc
: ---
Assignee: Coty Sutherland
QA Contact: tomcat-qe
URL:
Whiteboard:
Depends On:
Blocks: 1075802 1172231 1275725
TreeView+ depends on / blocked
 
Reported: 2014-07-31 16:45 UTC by Dasharath Masirkar
Modified: 2018-12-06 17:33 UTC (History)
6 users (show)

Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2015-12-11 20:32:27 UTC


Attachments (Terms of Use)
reproducer from description (1.02 KB, application/zip)
2015-12-11 20:33 UTC, Coty Sutherland
no flags Details


Links
System ID Priority Status Summary Last Updated
Apache Bugzilla 50026 None None None Never

Description Dasharath Masirkar 2014-07-31 16:45:19 UTC
Description of problem:
The servlet mapping with url pattern as <url-pattern>/static/*</url-pattern> does not work when mapped to Tomcat default servlet org.apache.catalina.servlets.DefaultServlet and access /context/static/ cause HTTP 404 error .

Version-Release number of selected component (if applicable):
Tomcat 6.0.24-72.el6_5 

How reproducible:
Always

Steps to Reproduce:
1. Create a sample test web application with following configuration and deploy to /usr/share/tomcat6/webapps/ directory.

test/WEB-INF/web.xml :
===================
<?xml version="1.0" encoding="UTF-8"?>

<web-app xmlns="http://java.sun.com/xml/ns/javaee";
         xmlns:xsi="http://www.w3.org/2001/XMLSchema-instance";
         xsi:schemaLocation="http://java.sun.com/xml/ns/javaee http://java.sun.com/xml/ns/javaee/web-app_2_5.xsd";
         version="2.5">

    <servlet-mapping>
        <servlet-name>default</servlet-name>
        <url-pattern>/css/*</url-pattern>
        <url-pattern>/img/*</url-pattern>
        <url-pattern>/js/*</url-pattern>
    </servlet-mapping>

</web-app>

# tree /usr/share/tomcat6/webapps/test/
├── css
│   |
│   └── some.css
├── img
│   └── some.jpg
├── js
│   │   
│   └── some.js
├── root.css
└── WEB-INF
    └── web.xml

2. Start the tomcat service  # service tomcat6 start and access it as follows.

test :
====

$ curl -vi  http://localhost:8080/test/css/root.css 
* About to connect() to localhost port 8080 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 8080 (#0)
> GET /test/css/root.css HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Length: 985
< Date: Mon, 28 Jul 2014 15:07:01 GMT


Actual results:
Access to  http://localhost:8080/test/css/root.css give HTTP 404 error.

Expected results:
Access to  http://localhost:8080/test/css/root.css must give HTTP 200 error.

Additional info:
The same servlet mapping will work in community Tomcat 6.0.39 and JBoss EWS 2.0.1 Tomcat 6.0.37. As per the Java Servlet Specification 2.5 "A string beginning with a ‘/’ character and ending with a ‘/*’ suffix is used for path mapping, so its valid mapping to be used. This may be relevant to upstream bugzila https://issues.apache.org/bugzilla/show_bug.cgi?id=50026, which state its fixed in Tomcat 6.0.30 onwards.

Comment 1 Dasharath Masirkar 2014-07-31 16:57:49 UTC
My apologies for wrong url in curl command it should be as follows which gives HTTP 404 error

$ curl -v  http://localhost:8080/test/css/some.css 
* About to connect() to localhost port 8080 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 8080 (#0)
> GET /test/css/some.css HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 404 Not Found
< Server: Apache-Coyote/1.1
< Content-Type: text/html;charset=utf-8
< Content-Length: 985
< Date: Mon, 28 Jul 2014 15:07:01 GMT

Comment 8 Coty Sutherland 2015-12-11 20:32:27 UTC
It looks like the revision that resolves this was introduced with the fix for CVE-2014-0119 in build 73.

+++
* Thu Jul 17 2014 David Knox <dknox@redhat.com> 0:6.0.24-73
- Resolves: CVE-2013-4590
- Resolves: CVE-2014-0119
+++

Here are my test results (a test.war generated from Dasharath's description is attached for reference):

+++
# rpm -qa tomcat6*
tomcat6-jsp-2.1-api-6.0.24-90.el6.x86_64
tomcat6-servlet-2.5-api-6.0.24-90.el6.x86_64
tomcat6-el-2.1-api-6.0.24-90.el6.x86_64
tomcat6-6.0.24-90.el6.x86_64
tomcat6-lib-6.0.24-90.el6.x86_64
# curl -v  http://localhost:8080/test/css/some.css
* About to connect() to localhost port 8080 (#0)
*   Trying ::1... connected
* Connected to localhost (::1) port 8080 (#0)
> GET /test/css/some.css HTTP/1.1
> User-Agent: curl/7.19.7 (x86_64-redhat-linux-gnu) libcurl/7.19.7 NSS/3.15.3 zlib/1.2.3 libidn/1.18 libssh2/1.4.2
> Host: localhost:8080
> Accept: */*
> 
< HTTP/1.1 200 OK
< Server: Apache-Coyote/1.1
< Accept-Ranges: bytes
< ETag: W/"9-1449864340000"
< Last-Modified: Fri, 11 Dec 2015 20:05:40 GMT
< Content-Type: text/css
< Content-Length: 9
< Date: Fri, 11 Dec 2015 20:27:00 GMT
< 
some.css
* Connection #0 to host localhost left intact
* Closing connection #0
+++

Comment 9 Coty Sutherland 2015-12-11 20:33:47 UTC
Created attachment 1104827 [details]
reproducer from description


Note You need to log in before you can comment on or make changes to this bug.