tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: svn commit: r575332 - in /tomcat/tc6.0.x/trunk: java/org/apache/naming/resources/ webapps/docs/changelog.xml
Date Fri, 14 Sep 2007 19:39:59 GMT

On Sep 14, 2007, at 3:30 PM, Filip Hanik - Dev Lists wrote:

> Costin Manolache wrote:
>> I'm not sure the security discussion is that simple, this seems  
>> quite a
>> dangerous change.
>> Currently  the user is restricted  to the webapps/ directory  
>> ( well,  he can
>> add a context
>> with the base in /etc and expose passwd I guess - but hopefully if  
>> a deploy
>> tool is used
>> or some automation is done on adding webapps, it can be  
>> controlled ). At
>> least this
>> introduces one more risk.
> what does httpd do when you do set up an alias or document root for  
> the /etc directory?
> Since it does, would that mean that httpd should not include the  
> Alias feature?
> This is the same scenario, adding a useful feature, though it can  
> go wrong when when misconfigured, doesn't mean we shouldn't do it.
> Tomcat already would allow you do to docBase=/etc"
> so the risk already exists, and no, the user is not restricted to  
> the webapps directory.

httpd allows for not only following of symlinks but
also having content outside of DocumentRoot via
the Alias directive.

But, of course httpd has had this for ages, and the
core internals of httpd know how to handle the security
implications of both symlinks on the file system
and Aliases in the configuration... The question
is does this patch open any holes it shouldn't...

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message