Return-Path: <Craig.McClanahan@eng.sun.com>
Mailing-List: contact tomcat-dev-help@jakarta.apache.org; run by ezmlm
Delivered-To: mailing list tomcat-dev@jakarta.apache.org
Received: (qmail 78480 invoked from network); 1 Dec 2000 18:39:39 -0000
Received: from lukla.sun.com (192.18.98.31)
  by locus.apache.org with SMTP; 1 Dec 2000 18:39:39 -0000
Received: from centralmail1.Central.Sun.COM ([129.147.62.10])
	by lukla.Sun.COM (8.9.3+Sun/8.9.3) with ESMTP id LAA11262;
	Fri, 1 Dec 2000 11:39:36 -0700 (MST)
Received: from esun1as-mm. (esun1as-mm.Central.Sun.COM [129.147.34.144])
	by centralmail1.Central.Sun.COM (8.9.3+Sun/8.9.3/ENSMAIL,v1.7) with SMTP id
 LAA21349;
	Fri, 1 Dec 2000 11:39:35 -0700 (MST)
Received: from eng.sun.com by esun1as-mm. (SMI-8.6/SMI-SVR4)
	id LAA11266; Fri, 1 Dec 2000 11:52:33 -0700
Message-ID: <3A27F0BB.6D98751D@eng.sun.com>
Date: Fri, 01 Dec 2000 10:41:00 -0800
From: "Craig R. McClanahan" <Craig.McClanahan@eng.sun.com>
X-Mailer: Mozilla 4.75 [en]C-CCK-MCD {Sony}  (Win98; U)
X-Accept-Language: en
MIME-Version: 1.0
To: tomcat-dev@jakarta.apache.org
CC: jetty-discuss@egroups.com, servlet-interest@java.sun.com
Subject: Re: Web application security problem on windows
References: <10F82FC788E0D311AB820060083EAE1E017F341A@mail.netbeans.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Rating: locus.apache.org 1.6.2 0/1000/N

Petr Jiricka wrote:

> Does not the following address this issue for Tomcat 3.2 ? (from
> $TOMCAT_HOME/doc/readme)
>
> 6.7 URL's are now case sensitive on all operating systems
>
> As of Tomcat 3.2, URL's are case sensitive for all operating systems,
> including operating systems which have case insensitive file systems, such
> as
> Windows.  This represents a change from Tomcat 3.1, where URL's were case
> insensitive on case insensitive OS's.  This was done for a number of
> reasons,
> security and portability among them.
>

Tomcat 3.2 and 4.0 both have special logic to protect against the "/WeB-iNf"
type attacks.  They will not serve up static resources under WEB-INF or META-INF
no matter how you try to mix the cases.

Until last night, both Tomcat 3.2 and 4.0 both executed a JSP page under WEB-INF
if you put one there (which is not recommended).  That's been fixed by a patch
that will appear in the next release of each version.

Neither Tomcat version currently has any mechanism to deal with the fact that
security constraints are case sensitive.  As Greg points out, that's an issue
that the spec expert group needs to think about.

The workaround I suggest is to use URL patterns like "/*", or directory names
with only digits in them, if this is an issue for your application.

>
> Petr
>

Craig McClanahan