-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Keith,
On 7/5/2009 10:15 AM, Keith67 wrote: > In thinking about this, it may be the easiest thing for me to do to simply > block people uploading files that look like .jsp! That is definitely a possible strategy, but would that interfere with your users' requirements? Also, disabling JSP execution would protect you from accidental .jsp uploads (whether through a security breach or some other accident). On the other hand, disabling all .jsp URLs would prohibit you from running your /own/ JSPs, unless you set up mappings for each individual JSP file you actually expect to run in your own webapp. > Made me wonder if other approaches to breaking > this would work - something about uploading symbolic links and then maybe > web.xmls and possibly code. There is no way I know of for a pure-Java application to write a symlink to the filesystem, so I don't think you really have to worry about that. Also, it's hard to get the contents of the symlink itself without "accidentally" getting the linked-file's content instead :) > I can't figure how this could be done and made > to work, but it doesn't mean that someone else couldn't. Fair enough. > Thanks for the hint about DefaultServlet presumably doing some caching of > what's deployed. If it comes to it, I could look at some modifications to, > or just a new version of DefaultServlet. Serving static files with no caching and ignoring things like returning 304 responses is exceedingly easy if you don't want to complicate your life customizing DefaultServlet. Good luck, - -chris -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (MingW32) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAkpQt9sACgkQ9CaO5/Lv0PCFTwCeJpHHL+fRh/aOSkZeiS8ySnPm cK4An1yRtBDH+R52bl913AB3QYYJ09Fy =QD81 -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
