Users Can See root files
Hello, I was showing someone my website the other day, and when they started playing with the URL, they could see the jsp files, html files, and files under the WEB-INF directory. Is created a welcome-file-list in the web.xml, but I guess if someone plays with the url and tries to get a look at the files that does not help. How does one shut down all access to anything from a url Thanks Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Users Can See root files
Change the listings parameter value in the %CATALINA_HOME%/conf/web.xml to false. IE: servlet . . . init-param param-namelistings/param-name param-valuefalse/param-value /init-param /servlet This should turn off the file listings so that users should not be able to navigate. Robert S. Harper Information Access Technology, Inc. -Original Message- From: Scott Purcell [mailto:[EMAIL PROTECTED] Sent: Wednesday, August 31, 2005 9:24 AM To: tomcat-user@jakarta.apache.org Subject: Users Can See root files Hello, I was showing someone my website the other day, and when they started playing with the URL, they could see the jsp files, html files, and files under the WEB-INF directory. Is created a welcome-file-list in the web.xml, but I guess if someone plays with the url and tries to get a look at the files that does not help. How does one shut down all access to anything from a url Thanks Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Users Can See root files
From: Scott Purcell [mailto:[EMAIL PROTECTED] Subject: Users Can See root files Is created a welcome-file-list in the web.xml, but I guess if someone plays with the url and tries to get a look at the files that does not help. Look here: http://jakarta.apache.org/tomcat/tomcat-5.5-doc/default-servlet.html Try setting listings to false in the conf/web.xml file. - Chuck THIS COMMUNICATION MAY CONTAIN CONFIDENTIAL AND/OR OTHERWISE PROPRIETARY MATERIAL and is thus for use only by the intended recipient. If you received this in error, please contact the sender and delete the e-mail and its attachments from all computers. - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
RE: Users Can See root files
If you are using apache as front end then LocationMatch (.*)/WEB-INF/(.*) Deny from All /LocationMatch Regards guru -Original Message- From: Scott Purcell [mailto:[EMAIL PROTECTED] Sent: 31 August 2005 16:24 To: tomcat-user@jakarta.apache.org Subject: Users Can See root files Hello, I was showing someone my website the other day, and when they started playing with the URL, they could see the jsp files, html files, and files under the WEB-INF directory. Is created a welcome-file-list in the web.xml, but I guess if someone plays with the url and tries to get a look at the files that does not help. How does one shut down all access to anything from a url Thanks Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Users Can See root files
The servlet spec (and tomcat is spec compliant) forbids the client direct access to anything in WEB-INF. I can think of two possibilities for what you are seeing: 1) You have Apache or IIS in front of this serving out static content. In that case, do what others have suggested and configure Apache or IIS to block access to files in WEB-INF. 2) You have a servlet offering up material from your webapp and it's erroneously serving up material in WEB-INF as well. This wouldn't be anything provided by tomcat -- it would be one of your servlets if it exists. --David Scott Purcell wrote: Hello, I was showing someone my website the other day, and when they started playing with the URL, they could see the jsp files, html files, and files under the WEB-INF directory. Is created a welcome-file-list in the web.xml, but I guess if someone plays with the url and tries to get a look at the files that does not help. How does one shut down all access to anything from a url Thanks Scott - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] -- === David Smith Network Operations Supervisor Department of Entomology College of Agriculture Life Sciences Cornell University 2132 Comstock Hall Ithaca, NY 14853 Phone: 607.255.9571 Fax: 607.255.0939 - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
Re: Users Can See root files
From: David Smith [EMAIL PROTECTED] The servlet spec (and tomcat is spec compliant) forbids the client direct access to anything in WEB-INF. I can think of two possibilities for what you are seeing: 1) You have Apache or IIS in front of this serving out static content. In that case, do what others have suggested and configure Apache or IIS to block access to files in WEB-INF. 2) You have a servlet offering up material from your webapp and it's erroneously serving up material in WEB-INF as well. This wouldn't be anything provided by tomcat -- it would be one of your servlets if it exists. SRV9.5 (Servlet 2.4) says No file contained in the WEB-INF directory may be served directly to a client by the container. I am not the OP, but I have a similar situation. I dropped an old (Servlet 2.3) .war file into a fresh Tomcat 5.5 install, and started seeing directory listings of contents under WEB-INF. It seems to be coming from the Struts Tiles tags, (which would fit into your #2 possibility,) though I haven't had time to investigate. Specifically, I think a tiles:insert attribute=xxx / tag will do it when 'xxx' is empty. I'll go see if any of the Tiles experts can confirm. Does listing the contents of a directory == serving a file directly to a client? I don't think so... though I was *very* surprised to see the directory listings. I saved a screen shot just so I could prove it was really happening. :) Clicking on any of the links in the list gives the usual '404', and turning off listings as advised by an earlier post in this thread fixed the problem. -- Wendy Smoak - To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
