quotes
Last December scans of the Tomcat 10.1 Benchmark were producing failure codes when scanning the catalina.sh file if the following was not found:
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE=`true` (back ticks used around the word true)
The convention for quoting the in the catalina.sh, server.xml and other configuration files from Apache is the following:
-Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE="true" (double quotes).
Recently, I received results when using back ticks that indicated failure ( and stating that -Dorg.apache.catalina.STRICT_SERVLET_COMPLIANCE="true" was missing ) when using back ticks.
The most recent audit file uses single quotes. This ambiguity around what type of quote double, single, or back ticks causes failures for several different parameter checks in several files. If all three work why isn't OR logic to test for "true" (double quotes) OR 'true' (single quotes) OR `true` (back ticks) used in the audit files to avoid false negatives (FAILURE).
Comments: 1
Oldest
•
Newest
•
Most likes
•
Fewest likes
-
01 Jul, '25
Chris Boldiston AdminHighlighted comment
Hi Leroy
Can you please post the comment to the Tomcat Community on Workbench? The experts there will be able to assist.
https://workbench.cisecurity.org/communities/19
Thanks
Chris