tomcat-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mark Thomas <>
Subject Re: getRealPath is a bad idea?
Date Thu, 02 Mar 2017 20:06:10 GMT
On 02/03/17 19:59, Berneburg, Cris J. - US wrote:
> Chris
> -----Original Message-----
> From: Christopher Schultz [mailto:chris@...]
> Sent: Friday, February 24, 2017 [multiple]
> To: Tomcat Users List
> Subject: Re: Getting application root path before servlet is initialized?
> [SNIP]
> Martin K> In order to avoid hard coding that path,
> Martin K> I need a programmatic to find that value.
> Martin K> Unfortunately the datasource is initialized
> Martin K> before the servlet, so "getRealPath()" is
> Martin K> not working yet.
> chris S>>> getRealPath is a bad idea. <<<
> For my education's sake, would you please explain that?  Or is your follow-up below the

There is no guarantee it will return a non-null value. The typical
reason is if the app is running from a packed WAR. Using it reduces the
portability of your application.


> chris S> would it be possible to store it *outside* of
> chris S> the web application's on-disk footprint? That
> chris S> will in fact make you more secure. Let's say
> chris S> for example that a vulnerability exists in the
> chris S> DefaultServlet, or one of your application's
> chris S> own servlets. It allows path-traversal or
> chris S> whatever. A file living in your application
> chris S> will then be potentially remotely-fetchable :(
> chris S> If you move that file outside of the web
> chris S> application, you have a better change of
> chris S> preventing that kind of thing.
> --
> Cris Berneburg
> CACI Lead Software Engineer

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message