On 02/03/17 19:59, Berneburg, Cris J. - US wrote: > Chris > > -----Original Message----- > From: Christopher Schultz [mailto:chris@...] > Sent: Friday, February 24, 2017 [multiple] > To: Tomcat Users List > Subject: Re: Getting application root path before servlet is initialized? > > [SNIP] > > Martin K> In order to avoid hard coding that path, > Martin K> I need a programmatic to find that value. > Martin K> Unfortunately the datasource is initialized > Martin K> before the servlet, so "getRealPath()" is > Martin K> not working yet. > > chris S>>> getRealPath is a bad idea. <<< > > For my education's sake, would you please explain that? Or is your follow-up > below the explanation?
There is no guarantee it will return a non-null value. The typical reason is if the app is running from a packed WAR. Using it reduces the portability of your application. Mark > > chris S> would it be possible to store it *outside* of > chris S> the web application's on-disk footprint? That > chris S> will in fact make you more secure. Let's say > chris S> for example that a vulnerability exists in the > chris S> DefaultServlet, or one of your application's > chris S> own servlets. It allows path-traversal or > chris S> whatever. A file living in your application > chris S> will then be potentially remotely-fetchable :( > chris S> If you move that file outside of the web > chris S> application, you have a better change of > chris S> preventing that kind of thing. > > -- > Cris Berneburg > CACI Lead Software Engineer > > --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
