Tomcat和Railo的迁移不区分大小写 [英] Tomcat and Railo need to be case insensitive for migration

问题描述

我正在将几个大型站点从ColdFusion，MS SQL和IIS迁移到Railo，MySQL和Tomcat7。设置还不错，但是有很多旧代码我会在不区分大小写的情况下重写

尽管我不确定为什么区分大小写会带来这样的安全威胁（来自MS世界，这从来都不是问题），但我需要找到一种使Tomcat 7和Railo在 img / Employee / greg.jpg img / employee / greg.jpg 的方法c $ c>文件夹。员工中的 E 导致一半的呼叫失败。

两个问题：

如何使它不区分大小写？为什么区分大小写会带来安全风险？

解决方案

好，所以第二个问题首先出现：

为什么区分大小写会带来安全风险？

区分大小写本身并不是安全风险。根据另一个答案中的评论，问题似乎是它可能绕过具有特定名称/大小写的目录（特别是 WEB-INF ）（可能包含敏感代码或配置文件。）

如果您尝试访问domain.com/WEB-INF，则Tomcat将阻止该访问，同时将domain.com/Web-Inf视为不同，并且可能不会阻止该操作（我尚未实际测试过是否是这种情况）。

但是，这并不是真正的问题，因为Railo不需要您拥有webroot内的WEB-INF目录-您可以配置Railo

_{（免责声明：这是基于现有信息；如果指向Web根目录之外的其他位置，则该问题将被删除）。可能还不止如此，但这是您的责任}

如何解决区分大小写的问题？

这里有很多选择...

考虑使用另一个servlet引擎而不是Tomcat，例如Jetty。

Jetty和Tomcat一样，Jetty的别名选项（在 {jetty} /etc/webdefault.xml ）（与Tomcat的区分大小写的开关一样）并没有被弃用，并且在简短的测试中，它似乎可以很好地阻止对 web-inf 的所有大小写变体的访问。

很可能还有其他的servlet引擎具有可以接受的类似选项（例如树脂

将Railo与Tomcat一起使用时，您无需删除Web服务器。

可以使用不需要Tomcat的Coyote Web服务器，将Apache httpd，Nginx或IIS7放在前面可以为您提供更大的灵活性-特别是它允许您使静态资源不区分大小写。

之所以这样说是因为您提供的示例是一个图像文件，因此它不需要进入servlet引擎或Railo-如果只有静态文件是问题所在（如果所有请求均通过，则完全有可能） index.cfm），然后简单地将Web服务器配置为不区分大小写是解决此问题的一种简单方法，而无需在其中出现Tomcat / Railo。

修复文件以使用大小写一致，使用URL重写来重定向请求。

例如，在记录404错误的同时抓取您的网站-这将为您提供大小写不匹配的列表。

一旦有了这个，就创建一个简单的脚本来重命名a将这些文件转换为小写，并生成一系列重写规则，以便将请求的文件重定向到小写变体。

例如，使用mod_rewrite语法：

 ＃如果文件存在，请勿重写（并停止处理其他规则）
 RewriteCond $ {REQUEST_URI}！f 
 RewriteRule。*-[L] 
 
＃请求的文件不存在，因此重定向到小写版本
 RewriteRule（？i）img / employee / greg.jpg img / employee / greg.jpg [L，R = 301 ] 
 RewriteRule（？i）img / employee / bert.jpg img / employee / bert.jpg [L，R = 301] 
 RewriteRule（？i）whatever.else what.else [L，R = 301] 
  

第一个规则确保不必检查存在的文件（L标志表示不再寻找其他文件）重定向），而（？i）将执行不区分大小写的匹配并执行301重定向到正确的文件。

这解决了眼前的问题，随着时间的推移，您可以逐步更新使用一致大小写的代码，直到

重写语法根据Web服务器使用的内容而有所不同-都有所有选项，但有些选项比其他选项更成熟/集成。

I am migrating several large sites from ColdFusion, MS SQL and IIS to Railo, MySQL and Tomcat 7. The set up wasn't bad but there is a lot of old code that I will be re-writing where case was not always taken into consideration.

Although I am not sure why case sensitivity is such a security threat (coming from the MS world it's never been an issue) but I need to find a way to make Tomcat 7 and Railo find img/employee/greg.jpg when it is in the img/Employee/greg.jpg folder. The E in employee is causing half of the calls to fail.

Two questions:
How can I get it to be case insensitive and Why is case sensitivity such a security risk?

解决方案

Okay, so second question first:

Why is case sensitivity such a security risk?

Case sensitivity is not a security risk in itself. As per the comments in the other answer, the issue appears to be that it potentially bypasses security constraints on directories which have a particular name/case, specifically WEB-INF, (which potentially contains sensitivity code or config files).

If you attempt to access domain.com/WEB-INF Tomcat will block that, whilst it treats domain.com/Web-Inf as different, and might not block that (I haven't actually tested to see if this is the case).

However, this is not really an issue, since it Railo does not require you to have the WEB-INF directory inside the webroot - you can configure Railo to point to a different location and if that is outside the webroot then the issue is removed.

_{(disclaimer: this is based on available information; there might be more to it than this, but it is your responsibility to perform security scans / penetration tests against any publicly accessible websites.)}

How to solve the case sensitivity problem?

There are a number of options here...

Consider another servlet engine instead of Tomcat, such as Jetty.

Whilst the same applies for Jetty as for Tomcat, Jetty's aliases option (in {jetty}/etc/webdefault.xml) is not deprecated (like Tomcat's case sensitive switch is), and in brief tests it appears to block access to all case variants of web-inf just fine.

There may well be other servlet engines that have similar options that are acceptable to use (e.g. Resin

You don't need to remove your web server when using Railo with Tomcat.

Whilst you can use Tomcat's Coyote web server, you are not required to, and putting (for example) Apache httpd, Nginx, or IIS7 in front can give you more flexibility - and specifically it allows you to make static resources case insensitive.

I say this because the example you give is an image file, so it doesn't need to go to the servlet engine or Railo - if it's only static files which are the issue (entirely possible if all requests go through index.cfm) then simply configuring a web server to be case insensitive is a simple way to solve this, without Tomcat/Railo being in the picture.

Fix the files to use a consistent case, the use URL re-writing to redirect requests.

For example, spider your site whilst logging 404 errors - this will give you a list of case mismatches.

Once you have this, create a simple script to rename all these files to lowercase, and generate a series of rewrite rules so that requested files are redirected to the lowercase variant.

For example using mod_rewrite syntax:

# If file exists, don't rewrite it (and stop processing further rules)
RewriteCond ${REQUEST_URI}  !f
RewriteRule .* - [L]

# Requested file doesn't exist, so redirect to lowercase version
RewriteRule (?i)img/employee/greg.jpg img/employee/greg.jpg [L,R=301]
RewriteRule (?i)img/employee/bert.jpg img/employee/bert.jpg [L,R=301]
RewriteRule (?i)whatever.else whatever.else [L,R=301]

The first rule ensures that files that exist aren't needlessly checked (the L flag says stop looking for further redirects), whilst the (?i) will perform a case-insensitive match and do a 301 redirect to the correct file.

This solves the immediate problem, and over time you can gradually update the code to use consistent cases until the redirects are no longer needed.

The rewrite syntax with vary depending on what you use for the web server - there are options for all of them, but some are more mature/integrated than others.

这篇关于Tomcat和Railo的迁移不区分大小写的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！