Chris and Len, Thanks for this.
In thinking about this, it may be the easiest thing for me to do to simply block people uploading files that look like .jsp! Initially didn't consider this, as it's a blacklisting approach as opposed to a whitelisting approach, which is not as good really. Made me wonder if other approaches to breaking this would work - something about uploading symbolic links and then maybe web.xmls and possibly code. I can't figure how this could be done and made to work, but it doesn't mean that someone else couldn't. Thanks for the hint about DefaultServlet presumably doing some caching of what's deployed. If it comes to it, I could look at some modifications to, or just a new version of DefaultServlet. Thanks again for the help. Keith. Christopher Schultz-2 wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > Keith, > > On 7/4/2009 7:17 PM, Keith67 wrote: >> I have an application I would like to allow users to upload files >> through, >> and then I want to be able to link to them and serve them from the >> server. >> >> If I do this, I run the risk of them uploading executable content (e.g. a >> JSP file) and then having it executed on the server, so I would like to >> stop >> this happening. > > It's nice to know that some folks out there actually /think/ about > security before blindly writing code! > >> Does anyone know how I could prevent any dynamic processing of files in a >> given Tomcat context. > > As Len says, all you need to do is map "/*.jsp" to something other than > the (default configured) JspServlet. While he suggests mapping it to > some error, it seems more appropriate for your application to map it to > the DefaultServlet instead (so you can serve the files). > > On the other hand, DefaultServlet may have some problems serving files > that have been written into your webapp's directory after deployment > (search the archives for many discussions of this). It's not a good idea > to write files to the deployment directory, anyway, and so > DefaultServlet (without modifications) won't be able to serve your files. > > If you already have a servlet written to serve the files /other/ than > "/*.jsp", simply map "/*.jsp" to that same servlet and you should be > good to go. > > - -chris > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v1.4.9 (MingW32) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ > > iEYEARECAAYFAkpQsmMACgkQ9CaO5/Lv0PBiewCcCRwqVox1wiXwokBip1B4sVrp > uTcAn1s3CPWY3XEKWNR3cnhYPVAloWIG > =kf6I > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > > > -- View this message in context: http://www.nabble.com/Tomcat-for-serving-only-static-files---how-to-prevent-the-likes-of-JSP-execution-tp24338874p24343448.html Sent from the Tomcat - User mailing list archive at Nabble.com. --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
