From users-return-228176-apmail-tomcat-users-archive=tomcat.apache.org@tomcat.apache.org Tue Oct 4 19:06:21 2011 Return-Path: X-Original-To: apmail-tomcat-users-archive@www.apache.org Delivered-To: apmail-tomcat-users-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 7E0DF7A71 for ; Tue, 4 Oct 2011 19:06:21 +0000 (UTC) Received: (qmail 4468 invoked by uid 500); 4 Oct 2011 19:06:18 -0000 Delivered-To: apmail-tomcat-users-archive@tomcat.apache.org Received: (qmail 4398 invoked by uid 500); 4 Oct 2011 19:06:18 -0000 Mailing-List: contact users-help@tomcat.apache.org; run by ezmlm Precedence: bulk List-Help: List-Unsubscribe: List-Post: List-Id: Reply-To: "Tomcat Users List" Delivered-To: mailing list users@tomcat.apache.org Received: (qmail 4389 invoked by uid 99); 4 Oct 2011 19:06:18 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Oct 2011 19:06:18 +0000 X-ASF-Spam-Status: No, hits=0.7 required=5.0 tests=RCVD_IN_DNSWL_NONE,SPF_NEUTRAL X-Spam-Check-By: apache.org Received-SPF: neutral (athena.apache.org: local policy) Received: from [76.96.59.227] (HELO qmta12.westchester.pa.mail.comcast.net) (76.96.59.227) by apache.org (qpsmtpd/0.29) with ESMTP; Tue, 04 Oct 2011 19:06:10 +0000 Received: from omta17.westchester.pa.mail.comcast.net ([76.96.62.89]) by qmta12.westchester.pa.mail.comcast.net with comcast id gcHF1h0061vXlb85Cj5qvC; Tue, 04 Oct 2011 19:05:50 +0000 Received: from [192.168.1.201] ([69.143.109.145]) by omta17.westchester.pa.mail.comcast.net with comcast id gj5q1h00638FjT13dj5qvp; Tue, 04 Oct 2011 19:05:50 +0000 Message-ID: <4E8B5910.5010903@christopherschultz.net> Date: Tue, 04 Oct 2011 15:05:52 -0400 From: Christopher Schultz User-Agent: Mozilla/5.0 (Windows NT 6.1; rv:7.0.1) Gecko/20110929 Thunderbird/7.0.1 MIME-Version: 1.0 To: Tomcat Users List Subject: Re: WebApps sharing uploaded files References: <32570911.post@talk.nabble.com> <4E8B2B77.9000409@christopherschultz.net> <4E8B4307.2070703@ice-sa.com> <4E8B4538.2090801@christopherschultz.net> <4E8B48E0.7040806@ice-sa.com> In-Reply-To: <4E8B48E0.7040806@ice-sa.com> X-Enigmail-Version: 1.3.2 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 André, On 10/4/2011 1:56 PM, André Warnier wrote: > quote > > allowLinking > > If the value of this flag is true, symlinks will be allowed inside > the web application, pointing to resources outside the web > application base path. If not specified, the default value of the > flag is false. > > NOTE: This flag MUST NOT be set to true on the Windows platform (or > any other OS which does not have a case sensitive filesystem), as > it will disable case sensitivity checks, allowing JSP source code > disclosure, among other security problems. > > unquote > > Is this second paragraph really well-placed there ? Does > allowLinking really influence case-sensitivity ? I'm not sure. I think, on Windows, links (like "My Link.lnk") need to be processed separately, and, of course, case cannot be considered significant on FAT and NTFS. There are other kinds of symlinks (not "My Link.lnk") available on NTFS, but I'm not sure of their semantics. Also note that allowLinking can cause problems with Tomcat's slash-and-burn policy when undeploying webapps on *NIX (and possibly on Windows as well). - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.10 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAk6LWRAACgkQ9CaO5/Lv0PDJuwCfeZaBGYgxrrZ4cn4RHiJIspUW sqQAnjX5JykypI8V11aR1CmhDp2Fern2 =xaSN -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org For additional commands, e-mail: users-help@tomcat.apache.org