Christopher Schultz wrote: > Konstantin, > > On 7/13/2009 10:06 PM, Konstantin Kolinko wrote: >> See how allowLinking and caseSensitive options are implemented in >> StandardContext. > > They are not implemented in StandardContext: they are implemented in > FileDirContext and therefore should only affect content being served by > the web server, not JAR files being loaded from the CLASSPATH.
It doesn't matter. *All* web-app resources are accessed via a DirContext, including those loaded from WEB-INF/classes and WEB-INF/lib. > So, from looking at this code, it appears that Java does not "know" the > difference between a symbolic link and a hard link: it just lets the > filesystem reveal the canonical path to the file (which is almost > certainly different from a symbolic link) and compares the original name > with the canonical name. If they are different, a symlink is implied and > therefore rejected. Correct. > Again, this appears to be only for static content loaded by code like > DefaultServlet, not a policy enforced by Tomcat across all file accesses. Again, wrong. allowLinking applies to any web-app resources. Only internal Tomcat file access (bin, lib, logs etc) goes directly to the file system. Mark --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
