tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Craig R. McClanahan" <>
Subject Re: Web application security problem on windows
Date Fri, 01 Dec 2000 18:41:00 GMT
Petr Jiricka wrote:

> Does not the following address this issue for Tomcat 3.2 ? (from
> $TOMCAT_HOME/doc/readme)
> 6.7 URL's are now case sensitive on all operating systems
> As of Tomcat 3.2, URL's are case sensitive for all operating systems,
> including operating systems which have case insensitive file systems, such
> as
> Windows.  This represents a change from Tomcat 3.1, where URL's were case
> insensitive on case insensitive OS's.  This was done for a number of
> reasons,
> security and portability among them.

Tomcat 3.2 and 4.0 both have special logic to protect against the "/WeB-iNf"
type attacks.  They will not serve up static resources under WEB-INF or META-INF
no matter how you try to mix the cases.

Until last night, both Tomcat 3.2 and 4.0 both executed a JSP page under WEB-INF
if you put one there (which is not recommended).  That's been fixed by a patch
that will appear in the next release of each version.

Neither Tomcat version currently has any mechanism to deal with the fact that
security constraints are case sensitive.  As Greg points out, that's an issue
that the spec expert group needs to think about.

The workaround I suggest is to use URL patterns like "/*", or directory names
with only digits in them, if this is an issue for your application.

> Petr

Craig McClanahan

View raw message