Looking at code, it seems the casesensitive flag is used when a ressources is loaded from filesystem (amongst others). if casesensitive is true, the absolute filename of loaded ressource is compared to the requested ressource (in filedircontext). If casesensitive is removed, anything accepted by new file() is returned as is. I don't know if the casesensistive flag is used by anything else then file loading.
David Kerber a écrit : > If it works that way (and I haven't tried it), then I would say that > the caseSensitive="false" flag was not working as I would expect. I > would expect that things defined for /MYNAME would work for /myname if > caseSensitive was false. > > Can anybody tell me definitively how this security risk works? > > > David Delbecq wrote: > >> I suspect a call to /something.JSP will not go thru the jsp engine. >> I can also guess that calls the security constraints applied on /servlet >> will not apply on /SERVLET >> >> >> David Kerber a écrit : >> >> >> >>> I've seen that notice, but could you explain to me how that works? I >>> don't see how this could cause any security issues, except for >>> slightly reducing the number of attempts you would need in a >>> brute-force hacking attempt. >>> >>> Dave >>> >>> >>> David Delbecq wrote: >>> >>> >>> >>>> Be careful, there are security issues with this (jsp code >>>> disclosure!)!! >>>> David Kerber a écrit : >>>> >>>> >>>> >>>> >>>> >>>>> <Context caseSensitive="false"> >>>>> >>>>> >>>>> Buddy wu wrote: >>>>> >>>>> >>>>> >>>>> >>>>> >>>>>> 2006/3/7, Long <[EMAIL PROTECTED]>: >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> Buddy wu wrote: >>>>>>> I wan't to know there is any way to set tomcat NOT CASE >>>>>>> SENSITIVE in URL >>>>>>> I mean: when I write in browser's 'http://localhost/test.html' >>>>>>> equals to 'http://localhost/TEST.htm'. Can I do it ? or just in >>>>>>> WINDOWS can but Linux/unix can't? >>>>>>> >>>>>>> Right, url is case-insensitive under Windows because the file >>>>>>> system >>>>>>> >>>>>>> >>>>>> >>>>>> But, the FACT is that under Windows the URL is CASW-SENSITIVE, not >>>>>> case-insecsitive , why? >>>>>> >>>>>> I've tried, under Windows, test.html and TEST.html is diffrent in >>>>>> tomcat server. Is there a parameter to set?? >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>> >>>>>>> can't tell a difference between test.html and TEST.html. The >>>>>>> difference >>>>>>> is there under Linux/UNIX. >>>>>>> >>>>>>> Long >>>>>>> >>>>>> > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
