tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Keith67 <keithmatthewwat...@gmail.com>
Subject Re: Tomcat for serving only static files - how to prevent the likes of JSP execution
Date Sun, 05 Jul 2009 14:15:54 GMT

Chris and Len,

Thanks for this.

In thinking about this, it may be the easiest thing for me to do to simply
block people uploading files that look like .jsp! Initially didn't consider
this, as it's a blacklisting approach as opposed to a whitelisting approach,
which is not as good really. Made me wonder if other approaches to breaking
this would work - something about uploading symbolic links and then maybe
web.xmls and possibly code. I can't figure how this could be done and made
to work, but it doesn't mean that someone else couldn't.

Thanks for the hint about DefaultServlet presumably doing some caching of
what's deployed. If it comes to it, I could look at some modifications to,
or just a new version of DefaultServlet.

Thanks again for the help.

Keith.



Christopher Schultz-2 wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Keith,
> 
> On 7/4/2009 7:17 PM, Keith67 wrote:
>> I have an application I would like to allow users to upload files
>> through,
>> and then I want to be able to link to them and serve them from the
>> server.
>> 
>> If I do this, I run the risk of them uploading executable content (e.g. a
>> JSP file) and then having it executed on the server, so I would like to
>> stop
>> this happening.
> 
> It's nice to know that some folks out there actually /think/ about
> security before blindly writing code!
> 
>> Does anyone know how I could prevent any dynamic processing of files in a
>> given Tomcat context.
> 
> As Len says, all you need to do is map "/*.jsp" to something other than
> the (default configured) JspServlet. While he suggests mapping it to
> some error, it seems more appropriate for your application to map it to
> the DefaultServlet instead (so you can serve the files).
> 
> On the other hand, DefaultServlet may have some problems serving files
> that have been written into your webapp's directory after deployment
> (search the archives for many discussions of this). It's not a good idea
> to write files to the deployment directory, anyway, and so
> DefaultServlet (without modifications) won't be able to serve your files.
> 
> If you already have a servlet written to serve the files /other/ than
> "/*.jsp", simply map "/*.jsp" to that same servlet and you should be
> good to go.
> 
> - -chris
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.4.9 (MingW32)
> Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
> 
> iEYEARECAAYFAkpQsmMACgkQ9CaO5/Lv0PBiewCcCRwqVox1wiXwokBip1B4sVrp
> uTcAn1s3CPWY3XEKWNR3cnhYPVAloWIG
> =kf6I
> -----END PGP SIGNATURE-----
> 
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
> 
> 
> 

-- 
View this message in context: http://www.nabble.com/Tomcat-for-serving-only-static-files---how-to-prevent-the-likes-of-JSP-execution-tp24338874p24343448.html
Sent from the Tomcat - User mailing list archive at Nabble.com.


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message