tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: Tomcat for serving only static files - how to prevent the likes of JSP execution
Date Sun, 05 Jul 2009 14:25:32 GMT
Hash: SHA1


On 7/5/2009 10:15 AM, Keith67 wrote:
> In thinking about this, it may be the easiest thing for me to do to simply
> block people uploading files that look like .jsp!

That is definitely a possible strategy, but would that interfere with
your users' requirements? Also, disabling JSP execution would protect
you from accidental .jsp uploads (whether through a security breach or
some other accident). On the other hand, disabling all .jsp URLs would
prohibit you from running your /own/ JSPs, unless you set up mappings
for each individual JSP file you actually expect to run in your own webapp.

> Made me wonder if other approaches to breaking
> this would work - something about uploading symbolic links and then maybe
> web.xmls and possibly code.

There is no way I know of for a pure-Java application to write a symlink
to the filesystem, so I don't think you really have to worry about that.
Also, it's hard to get the contents of the symlink itself without
"accidentally" getting the linked-file's content instead :)

> I can't figure how this could be done and made
> to work, but it doesn't mean that someone else couldn't.

Fair enough.

> Thanks for the hint about DefaultServlet presumably doing some caching of
> what's deployed. If it comes to it, I could look at some modifications to,
> or just a new version of DefaultServlet.

Serving static files with no caching and ignoring things like returning
304 responses is exceedingly easy if you don't want to complicate your
life customizing DefaultServlet.

Good luck,
- -chris
Version: GnuPG v1.4.9 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message