tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Len Popp <len.p...@gmail.com>
Subject Re: Tomcat for serving only static files - how to prevent the likes of JSP execution
Date Sat, 04 Jul 2009 23:37:31 GMT
The default handling of JSP files is set in conf/web.xml: *.jsp and
*.jspx are handled by JspServlet.

In your "special" context, you could handle *.jsp and *.jspx files
with a servlet that just returns an error. That should do the trick.
-- 
Len



2009/7/4 Keith67 <keithmatthewwatson@gmail.com>:
>
> This might seem like a strange request, but I would like to use Tomcat to
> only serve static files, from a certain context anyway.
>
> I have an application I would like to allow users to upload files through,
> and then I want to be able to link to them and serve them from the server.
>
> If I do this, I run the risk of them uploading executable content (e.g. a
> JSP file) and then having it executed on the server, so I would like to stop
> this happening.
>
> Does anyone know how I could prevent any dynamic processing of files in a
> given Tomcat context.
>
> I appreciate I could just install Apache and do it that way but I'd rather
> just keep it simple with Tomcat.
>
> Thanks.
> --
> View this message in context: http://www.nabble.com/Tomcat-for-serving-only-static-files---how-to-prevent-the-likes-of-JSP-execution-tp24338874p24338874.html
> Sent from the Tomcat - User mailing list archive at Nabble.com.
>
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
> For additional commands, e-mail: users-help@tomcat.apache.org
>
>

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message