tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject Re: WebApps sharing uploaded files
Date Tue, 04 Oct 2011 19:05:52 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

André,

On 10/4/2011 1:56 PM, André Warnier wrote:
> quote
> 
> allowLinking
> 
> If the value of this flag is true, symlinks will be allowed inside
> the web application, pointing to resources outside the web
> application base path. If not specified, the default value of the
> flag is false.
> 
> NOTE: This flag MUST NOT be set to true on the Windows platform (or
> any other OS which does not have a case sensitive filesystem), as
> it will disable case sensitivity checks, allowing JSP source code
> disclosure, among other security problems.
> 
> unquote
> 
> Is this second paragraph really well-placed there ? Does
> allowLinking really influence case-sensitivity ?

I'm not sure. I think, on Windows, links (like "My Link.lnk") need to
be processed separately, and, of course, case cannot be considered
significant on FAT and NTFS. There are other kinds of symlinks (not
"My Link.lnk") available on NTFS, but I'm not sure of their semantics.

Also note that allowLinking can cause problems with Tomcat's
slash-and-burn policy when undeploying webapps on *NIX (and possibly
on Windows as well).

- -chris
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAk6LWRAACgkQ9CaO5/Lv0PDJuwCfeZaBGYgxrrZ4cn4RHiJIspUW
sqQAnjX5JykypI8V11aR1CmhDp2Fern2
=xaSN
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message