-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keith,
On 7/4/2009 7:17 PM, Keith67 wrote: > I have an application I would like to allow users to upload files through, > and then I want to be able to link to them and serve them from the server. > > If I do this, I run the risk of them uploading executable content (e.g. a > JSP file) and then having it executed on the server, so I would like to stop > this happening. It's nice to know that some folks out there actually /think/ about security before blindly writing code! > Does anyone know how I could prevent any dynamic processing of files in a > given Tomcat context. As Len says, all you need to do is map "/*.jsp" to something other than the (default configured) JspServlet. While he suggests mapping it to some error, it seems more appropriate for your application to map it to the DefaultServlet instead (so you can serve the files). On the other hand, DefaultServlet may have some problems serving files that have been written into your webapp's directory after deployment (search the archives for many discussions of this). It's not a good idea to write files to the deployment directory, anyway, and so DefaultServlet (without modifications) won't be able to serve your files. If you already have a servlet written to serve the files /other/ than "/*.jsp", simply map "/*.jsp" to that same servlet and you should be good to go. - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpQsmMACgkQ9CaO5/Lv0PBiewCcCRwqVox1wiXwokBip1B4sVrp uTcAn1s3CPWY3XEKWNR3cnhYPVAloWIG =kf6I -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
