Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 257376

Summary: www-servers/tomcat-6.0.18-r2 overwrites sensitive Files in webapps/ROOT
Product: Gentoo Linux Reporter: Phillip Merensky <gentoo>
Component: New packagesAssignee: Java team <java>
Severity: major CC: mike
Priority: High    
Version: unspecified   
Hardware: AMD64   
OS: Linux   
Package list:
Runtime testing required: ---

Description Phillip Merensky 2009-02-02 12:21:58 UTC
The Ebuild silently overwrites ROOT/WEB-INF/web.xml, ROOT/favicon.ico and maybe other files in a ROOT application. 

Reproducible: Always

Steps to Reproduce:
1. Install Tomcat 6 with a ROOT Web application present 
2. web.xml and favicon.ico will be overwritten

Actual Results:  
This is very dangerous, because your ROOT web application will not work any longer if your  ROOT/WEB-INF/web.xml is different than the default one (which it obviously is in most cases).

Expected Results:  
The Ebuild must check if webapps/ROOT ist present and skip the copying if it is (see attachment).

I am currently working on a solution which will be attached to this bug in the next hours.
Comment 1 Marijn Schouten (RETIRED) gentoo-dev 2009-02-02 12:32:58 UTC
simply list the files in CONFIG_PROTECT?
Comment 2 Phillip Merensky 2009-02-02 13:03:13 UTC
This would be a solution for me personally. But in my opinion the ebuild should do this for the default webapps location. 
As I am new to Ebuild writing I do not know if there is a possibility to update CONFIG_PROTECT from an ebuild.
Sensitive Files should not be overwritten automatically. Or am I wrong here?
Comment 3 Phillip Merensky 2009-02-02 13:50:29 UTC
Maybe 254526 would be the solution?
Comment 4 Mike Weissman 2009-02-02 15:42:19 UTC
This is a duplicate of bug#180519

I have been testing a fix for this in [java-experimental] tomcat-r4 has the fix.


Does NOT contain the fix this this, that bug is dedicate for configuration for Netbeans. 

Comment 5 Alistair Bush (RETIRED) gentoo-dev 2009-02-02 18:04:23 UTC
If its a dup,  lets close it as one.

*** This bug has been marked as a duplicate of bug 180519 ***