You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Chad Kellerman <ck...@alabanza.com> on 2002/08/28 14:37:58 UTC
Wouldn't this be a security risk??
Hello everyone,
I have been running tomcat for a while and just started to notice a
few things. First, let me say I have it configure on a linux server
with mod_webapp, with Tomcat version 4.0.3.
Let's say I have a war file application called hello.war that I call
like so:
http://mydomain.com/webapps/hello/
But if I call it this way:
http://mydomain.com/webapps/hello.war
it forces a download. I realize this is not the proper way to call
it but if someone did call it this way..
I believe I can stop this through Apache but I am not quite too
sure.
Does anyone else notice this or have a fix for it???
THanks,
Chad
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>
Re: Wouldn't this be a security risk??
Posted by Tim Funk <fu...@joedog.org>.
Have apache deny the request. Very simple change to httpd.conf.
For example:
# No one in my WEB-INF directory
<Location /WEB-INF/ >
AllowOverride none
deny from all
</Location>
# No one look at my properties files
<Files ~ "*.properties">
Order allow,deny
Deny from all
Satisfy All
</Files>
# No one look at my website app config
# OK - This is redundant since its in WEB-INF
<Files ~ "web.xml">
Order allow,deny
Deny from all
Satisfy All
</Files>
-Tim
Chad Kellerman wrote:
> Hello everyone,
>
> I have been running tomcat for a while and just started to notice a
> few things. First, let me say I have it configure on a linux server
> with mod_webapp, with Tomcat version 4.0.3.
>
> Let's say I have a war file application called hello.war that I call
> like so:
>
> http://mydomain.com/webapps/hello/
>
> But if I call it this way:
>
> http://mydomain.com/webapps/hello.war
>
> it forces a download. I realize this is not the proper way to call
> it but if someone did call it this way..
> I believe I can stop this through Apache but I am not quite too
> sure.
>
> Does anyone else notice this or have a fix for it???
>
> THanks,
>
> Chad
>
> --
> To unsubscribe, e-mail: <ma...@jakarta.apache.org>
> For additional commands, e-mail: <ma...@jakarta.apache.org>
>
>
>
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>