tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <ma...@apache.org>
Subject Re: getRealPath is a bad idea?
Date Thu, 02 Mar 2017 20:06:10 GMT
On 02/03/17 19:59, Berneburg, Cris J. - US wrote:
> Chris
> 
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@...]
> Sent: Friday, February 24, 2017 [multiple]
> To: Tomcat Users List
> Subject: Re: Getting application root path before servlet is initialized?
> 
> [SNIP]
> 
> Martin K> In order to avoid hard coding that path,
> Martin K> I need a programmatic to find that value.
> Martin K> Unfortunately the datasource is initialized
> Martin K> before the servlet, so "getRealPath()" is
> Martin K> not working yet.
> 
> chris S>>> getRealPath is a bad idea. <<<
> 
> For my education's sake, would you please explain that?  Or is your follow-up below the
explanation?

There is no guarantee it will return a non-null value. The typical
reason is if the app is running from a packed WAR. Using it reduces the
portability of your application.

Mark


> 
> chris S> would it be possible to store it *outside* of
> chris S> the web application's on-disk footprint? That
> chris S> will in fact make you more secure. Let's say
> chris S> for example that a vulnerability exists in the
> chris S> DefaultServlet, or one of your application's
> chris S> own servlets. It allows path-traversal or
> chris S> whatever. A file living in your application
> chris S> will then be potentially remotely-fetchable :(
> chris S> If you move that file outside of the web
> chris S> application, you have a better change of
> chris S> preventing that kind of thing.
> 
> --
> Cris Berneburg
> CACI Lead Software Engineer
> 
> 


---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@tomcat.apache.org
For additional commands, e-mail: users-help@tomcat.apache.org


Mime
View raw message