tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From André Warnier ...@ice-sa.com>
Subject Re: Tomcat 6.0.18 access files case-insensitive
Date Thu, 11 Jun 2009 21:26:55 GMT
Markus Schönhaber wrote:
> André Warnier:
> 
>> the filesystem which matters.  If the filesystem is case-insensitive, it 
>> doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ?
> 
> No. Try
> http://localhost:8080/tomcat.gif
> and
> http://localhost:8080/tomcaT.gif
> with a default Tomcat install.
> 
Sorry, I was only reasoning this platonically.
And apparently I was wrong, at least on my Windows Tomcat 5.5.
The second access above gives a 404.
So what's the deal again ?

Under Windows, one can create a file named "tomcat.gif" OR "tomcaT.gif", 
and the filesystem will effectively record the filename with the 
capitalisation as given when creating the file.

Suppose I have created it as "tomcat.gif".
With a text editor (or whatever) I can open this file by specifying (in 
the File..open dialog), a name typed in as "tomcaT.gif" (I just tried).
Thus at that level it is case-insensitive.
I can also not create another file in the same directory, named 
"tomcaT.gif".  If I try, I get a message saying that a file with the 
same name already exists (meaning the "tomcat.gif").  Thus at that level 
also it is case-insensitive.

However, via Tomcat (like the above link), if I specify a URL of 
"tomcaT.gif", I get a 404.
So apparently Tomcat does not just use the standard Windows file..open 
function, it runs additional checks.
Good.
Because if it did not, then I could request /myapp/web-inf/anything and 
get it, bypassing the /WEB-INF/ protection.


In the Tomcat on-line documentation, both for 5.5. and 6.0, for the 
Context element, I find the following explanation for the attribute 
"caseSensitive" :

"If the value of this flag is true, all case sensitivity checks will be 
disabled. If not specified, the default value of the flag is true.

NOTE: This flag MUST NOT be set to false on the Windows platform (or any 
other OS which does not have a case sensitive filesystem), as it will 
disable case sensitivity checks, allowing JSP source code disclosure, 
among other security problems."

I personally find this paragraph rather obscure, since the first and 
third phrase seem to contradict eachother.
In the 1st one it says that, if set to true, all case sensitivity checks 
will be disabled. (true -> disabled)
In the third, it says that setting it to false will disable case 
sensitivity checks. (false -> disabled)

So both true and false disable case-sensitivity checks.
Mmmmm..  in the quantum realm maybe, but in Tomcat ?

Should the first phrase not read
"If the value of this flag is true, all case sensitivity checks will be 
*enabled*."

?

I also wonder what the purpose of this attribute really is, in fact.
Should this not always be left to "case sensitive = true" ?
- under Windows or any case-insensitive filesystem, it should be left to 
"true". Ok, understandable.
- but under a case-sensitive filesystem, what would be a good reason to 
set it to "false" ?



---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message