tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <>
Subject Re: WebApps sharing uploaded files
Date Tue, 04 Oct 2011 19:05:52 GMT
Hash: SHA1


On 10/4/2011 1:56 PM, André Warnier wrote:
> quote
> allowLinking
> If the value of this flag is true, symlinks will be allowed inside
> the web application, pointing to resources outside the web
> application base path. If not specified, the default value of the
> flag is false.
> NOTE: This flag MUST NOT be set to true on the Windows platform (or
> any other OS which does not have a case sensitive filesystem), as
> it will disable case sensitivity checks, allowing JSP source code
> disclosure, among other security problems.
> unquote
> Is this second paragraph really well-placed there ? Does
> allowLinking really influence case-sensitivity ?

I'm not sure. I think, on Windows, links (like "My Link.lnk") need to
be processed separately, and, of course, case cannot be considered
significant on FAT and NTFS. There are other kinds of symlinks (not
"My Link.lnk") available on NTFS, but I'm not sure of their semantics.

Also note that allowLinking can cause problems with Tomcat's
slash-and-burn policy when undeploying webapps on *NIX (and possibly
on Windows as well).

- -chris
Version: GnuPG v1.4.10 (MingW32)
Comment: Using GnuPG with Mozilla -


To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message