Chris -----Original Message----- From: Christopher Schultz [mailto:chris@...] Sent: Friday, February 24, 2017 [multiple] To: Tomcat Users List Subject: Re: Getting application root path before servlet is initialized?
[SNIP] Martin K> In order to avoid hard coding that path, Martin K> I need a programmatic to find that value. Martin K> Unfortunately the datasource is initialized Martin K> before the servlet, so "getRealPath()" is Martin K> not working yet. chris S>>> getRealPath is a bad idea. <<< For my education's sake, would you please explain that? Or is your follow-up below the explanation? chris S> would it be possible to store it *outside* of chris S> the web application's on-disk footprint? That chris S> will in fact make you more secure. Let's say chris S> for example that a vulnerability exists in the chris S> DefaultServlet, or one of your application's chris S> own servlets. It allows path-traversal or chris S> whatever. A file living in your application chris S> will then be potentially remotely-fetchable :( chris S> If you move that file outside of the web chris S> application, you have a better change of chris S> preventing that kind of thing. -- Cris Berneburg CACI Lead Software Engineer
