The CGI (Common Gateway Interface) defines a way for a web server to interact with external content-generating programs, which are often referred to as CGI programs or CGI scripts.

Within Tomcat, CGI support can be added when you are using Tomcat as your HTTP server and require CGI support. Typically this is done during development when you don't want to run a web server like Apache httpd. Tomcat's CGI support is largely compatible with Apache httpd's, but there are some limitations (e.g., only one cgi-bin directory).

CGI support is implemented using the servlet class org.apache.catalina.servlets.CGIServlet. Traditionally, this servlet is mapped to the URL pattern "/cgi-bin/*".

By default CGI support is disabled in Tomcat.

CAUTION - CGI scripts are used to execute programs external to the Tomcat JVM. If you are using the Java SecurityManager this will bypass your security policy configuration in catalina.policy.

To enable CGI support:

1. There are commented-out sample servlet and servlet-mapping elements for CGI servlet in the default $CATALINA_BASE/conf/web.xml file. To enable CGI support in your web application, copy that servlet and servlet-mapping declarations into WEB-INF/web.xml file of your web application.

   Uncommenting the servlet and servlet-mapping in $CATALINA_BASE/conf/web.xml file enables CGI for all installed web applications at once.

2. Set privileged="true" on the Context element for your web application.

   Only Contexts which are marked as privileged are allowed to use the CGI servlet. Note that modifying the global $CATALINA_BASE/conf/context.xml file affects all web applications. See Context documentation for details.

There are several servlet init parameters which can be used to configure the behaviour of the CGI servlet.

• cgiMethods - Comma separated list of HTTP methods. Requests using one of these methods will be passed to the CGI script for the script to generate the response. The default value is GET,POST. Use * for the script to handle all requests regardless of method. Unless over-ridden by the configuration of this parameter, requests using HEAD, OPTIONS or TRACE will have handled by the superclass.
• cgiPathPrefix - The CGI search path will start at the web application root directory + File.separator + this prefix. By default there is no value, which results in the web application root directory being used as the search path. The recommended value is WEB-INF/cgi
• cmdLineArgumentsDecoded - If command line argumemnts are enabled (via enableCmdLineArguments) and Tomcat is running on Windows then each individual decoded command line argument must match this pattern else the request will be rejected. This is to protect against known issues passing command line arguments from Java to Windows. These issues can lead to remote code execution. For more information on these issues see Markus Wulftange's blog and this archived blog by Daniel Colascione.
• cmdLineArgumentsEncoded - If command line argumemnts are enabled (via enableCmdLineArguments) individual encoded command line argument must match this pattern else the request will be rejected. The default matches the allowed values defined by RFC3875 and is [a-zA-Z0-9\Q%;/?:@&,$-_.!~*'()\E]+
• enableCmdLineArguments - Are command line arguments generated from the query string as per section 4.4 of 3875 RFC? The default is false.
• environment-variable- - An environment to be set for the execution environment of the CGI script. The name of variable is taken from the parameter name. To configure an environment variable named FOO, configure a parameter named environment-variable-FOO. The parameter value is used as the environment variable value. The default is no environment variables.
• executable - The name of the executable to be used to run the script. You may explicitly set this parameter to be an empty string if your script is itself executable (e.g. an exe file). Default is perl.
• executable-arg-1, executable-arg-2, and so on - additional arguments for the executable. These precede the CGI script name. By default there are no additional arguments.
• envHttpHeaders - A regular expression used to select the HTTP headers passed to the CGI process as environment variables. Note that headers are converted to upper case before matching and that the entire header name must match the pattern. Default is ACCEPT[-0-9A-Z]*|CACHE-CONTROL|COOKIE|HOST|IF-[-0-9A-Z]*|REFERER|USER-AGENT
• parameterEncoding - Name of the parameter encoding to be used with the CGI servlet. Default is System.getProperty("file.encoding","UTF-8"). That is the system default encoding, or UTF-8 if that system property is not available.
• passShellEnvironment - Should the shell environment variables from Tomcat process (if any) be passed to the CGI script? Default is false.
• stderrTimeout - The time (in milliseconds) to wait for the reading of stderr to complete before terminating the CGI process. Default is 2000.

The CGI script executed depends on the configuration of the CGI Servlet and how the request is mapped to the CGI Servlet. The CGI search path starts at the web application root directory + File.separator + cgiPathPrefix. The pathInfo is then searched unless it is null - in which case the servletPath is searched.

The search starts with the first path segment and expands one path segment at a time until no path segments are left (resulting in a 404) or a script is found. Any remaining path segments are passed to the script in the PATH_INFO environment variable.