You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Denny Chambers <dc...@snapserver.com> on 2002/09/26 18:30:07 UTC

Symlinks

Hi All,

    Is there any way to tell Tomcat to not follow symlinks? If not how 
can I protect my server against malicious symlinks? Is the 
java.io.FilePermissions smart enough to figure these out?

For example if I give read access only to directory "foo" through the 
java.io.FilePermissions, but inside of "foo", there is a symlink that 
points to a file "bar", which really exists outside of the directory 
"foo". Is the Security Manager smart enough to catch this.

I have also found that while I can't see a WEB-INF directory from the 
browser using a URL like so:

    http://myserver:8080/myapp/WEB-INF/,

I can create a symlink in $CATALINA_HOME/webapp/myapp/ which points to a 
WEB-INF directory, then I can see that directory as plane as day. How 
can you protect your server from these sort of things.

Thanks,
Denny


--
To unsubscribe, e-mail:   <ma...@jakarta.apache.org>
For additional commands, e-mail: <ma...@jakarta.apache.org>