You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Surya Suravarapu <su...@villanova.edu> on 2002/03/21 05:57:18 UTC
Apache/Tomcat security issue -- URGENT
I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
I've a context called WebApp whose docBase="E:\WebApp". So, when I
point my browser to http://localhost/WebApp/main it will take me to the
login screen of the application.
There is a folder called "Reports" in my E:\WebApp. Some part of my
application is using Response.sendRedirect() and displaying the
requested file (from the Reports folder) to the browser. That's fine. I
want to show the files from that folder only through the application
and I have to configure my web server in such a way that it denies
requests if a User enters the file name manually like
http://localhost/WebApp/Reports/some-file.xls. Please help me if you
have a solution for this.
Thanks.
-Surya
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>
Re: Apache/Tomcat security issue -- URGENT
Posted by todd tredeau <to...@wisernet.com>.
This is sort of easy... of course you run your site through Apache...
which in turns does this connection....
deny from all "somedirectory"
in your application or code...
include something from "somedirectory"
todd
http://www.wiserlabz.com
collaborative effort to promote Novell and Open Source solutions
include ... www.link-tool.com on your site
Surya Suravarapu wrote:
>I'm using Apache 1.3.22 and Tomcat 4.0.2 on Windows NT/2000.
>
>I've a context called WebApp whose docBase="E:\WebApp". So, when I
>point my browser to http://localhost/WebApp/main it will take me to the
>login screen of the application.
>
>There is a folder called "Reports" in my E:\WebApp. Some part of my
>application is using Response.sendRedirect() and displaying the
>requested file (from the Reports folder) to the browser. That's fine. I
>want to show the files from that folder only through the application
>and I have to configure my web server in such a way that it denies
>requests if a User enters the file name manually like
>http://localhost/WebApp/Reports/some-file.xls. Please help me if you
>have a solution for this.
>
>Thanks.
>-Surya
>
>
>--
>To unsubscribe: <ma...@jakarta.apache.org>
>For additional commands: <ma...@jakarta.apache.org>
>Troubles with the list: <ma...@jakarta.apache.org>
>
>
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>