You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@tomcat.apache.org by Denny Chambers <dc...@snapserver.com> on 2002/09/26 18:30:07 UTC
Symlinks
Hi All,
Is there any way to tell Tomcat to not follow symlinks? If not how
can I protect my server against malicious symlinks? Is the
java.io.FilePermissions smart enough to figure these out?
For example if I give read access only to directory "foo" through the
java.io.FilePermissions, but inside of "foo", there is a symlink that
points to a file "bar", which really exists outside of the directory
"foo". Is the Security Manager smart enough to catch this.
I have also found that while I can't see a WEB-INF directory from the
browser using a URL like so:
http://myserver:8080/myapp/WEB-INF/,
I can create a symlink in $CATALINA_HOME/webapp/myapp/ which points to a
WEB-INF directory, then I can see that directory as plane as day. How
can you protect your server from these sort of things.
Thanks,
Denny
--
To unsubscribe, e-mail: <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>