JSP @include directive

[Alexander Leyke <al...@cs.com>]

Hi,

I need to use include directive in JSP that points to file physically 
located outside directory tree for Web application context. I tested two 
forms of include directive: <%@include file="/../inc/name.inc" %> and 
<%@include file="/symlink/name.inc" %>.

As far as I can tell from Tomcat 4.1.18 sources the former is forbidden, 
i.e., cannot specify path that goes beyond application context. The 
latter is OK, as long as 
org.apache.naming.resources.FileDirContext.setAllowLinking() has been 
called with true argument. Symlinks are disallowed by default and I 
don't see any place in the code where setAllowLinking method gets 
called. Sounds like a problem to me.

Please tell me if above behavior is erroneous, and how can I cope with 
this situation.
Thank you,
Alex


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org

Re: JSP @include directive

[Remy Maucherat <re...@apache.org>]

Alexander Leyke wrote:
> Hi,
> 
> I need to use include directive in JSP that points to file physically 
> located outside directory tree for Web application context. I tested two 
> forms of include directive: <%@include file="/../inc/name.inc" %> and 
> <%@include file="/symlink/name.inc" %>.
> 
> As far as I can tell from Tomcat 4.1.18 sources the former is forbidden, 
> i.e., cannot specify path that goes beyond application context. The 
> latter is OK, as long as 
> org.apache.naming.resources.FileDirContext.setAllowLinking() has been 
> called with true argument.

You have to use a Resources element for that to be called.

Remy


---------------------------------------------------------------------
To unsubscribe, e-mail: tomcat-dev-unsubscribe@jakarta.apache.org
For additional commands, e-mail: tomcat-dev-help@jakarta.apache.org