You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Pat Schaider <pa...@cider.fakkir.net> on 2002/02/26 04:02:59 UTC
jsp:include security question
Hello --
I am trying to get a new Tomcat system configured for my school's CS
department. We want to use version 4 (I am working with 4.0.2).
We need a system that lets students keep their files private, to make sure
that nobody cheats by stealing somebody's servlets or jsp. I am testing
it out to make sure that student1 cannot access the files of
student2. Also I should note that students will not be logging in to this
box so standard file permissions will not cut it. Students will upload
all files through a script utility, so all files will be owned bt that
user.
The problem is this: with a more-or-less default installation of Tomcat
using the security manager, in a jsp:include you can access outside of
your context using ../../../ . Note that in other forms of reading the
files, the security manager correctly prohibits access (both in a
jsp:include giving the real path, and in standard programmatic file
opening with real and ../ paths). It's just in the case of the include
with relative path that it allows access to others' files.
Here's a sample line of a jsp that should generate an error, but
doesn't. The contexts are foo1/ and foo2/, they are defined in separate
context tags. This line is from a file in foo1/.
<jsp:include page="../../../foo2/jsp/include/junk.txt"/>
That line allows the script in foo1 to access the file in foo2/. The same
path in a BufferedReader causes an error.
Somebody please help me. Is this a configuration error, a bug, or am I
just being thick-headed about it???
Thanks for your time.
--==pat schaider==--
pat@cider.fakkir.net
--
To unsubscribe: <ma...@jakarta.apache.org>
For additional commands: <ma...@jakarta.apache.org>
Troubles with the list: <ma...@jakarta.apache.org>