tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: virtual host getRealPath
Date Sun, 05 Nov 2006 14:05:11 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Peter,

> After poking around a little more, it seems that the call
> 
> 
> application.getRealPath(request.getServletPath())    
> provides the proper local file path for me.  Any reason not to use that?

You still have to add the request's URI to the end of that. You are
basically making the same suggestion that I did.

The only reasons I an think of not to do this are involved with
security. You'd better make sure that remote users can't construct URLs
that can poke around on your disk. My recommendation is that if you
already know where the request is going (say, they request
/foo/bar/baz.jsp and you are processing /foo/bar/baz.jsp, then just load
the resource statically yourself).

What you are doing seems most appropriate when, say, using the "path
info" of the URL to locate a resource that has been PUT in the past. In
this case, I would imagine a mapping layer between the remote user's
request and the actual path on the disk (say, /foo/bar/baz maps to
/user-files/a/b/c/1234.tiff or something like that). This way, remote
users cannot arbitrarily request resources that are on your server.

- -chris

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.5 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org

iD8DBQFFTe+X9CaO5/Lv0PARAlZCAKCfwXjkliITKGgMXoF07oEbdHbb2wCePkfc
v7llczHqQhCVR/SHuqcEfU8=
=XbqF
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To start a new topic, e-mail: users@tomcat.apache.org
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message