On Thu, 08 Apr 2010 22:13:32 -0300, Howard Lewis Ship <[email protected]>
wrote:
What should be available by default? My opinion, anything in the
context,
except WEB-INF.
What should not be available by default? My opinion, anything in the
classpath.
And that's where I disagree; maybe any non .class file outside of a
controlled package should be protected? If we remove the malicious
user's ability to "hunt' for files and protect the ones that may be
important (.class, etc.) then we're good.
Configuration files are very sensitive and are usually located in the
classpath in known places. I would consider most files in the classpath as
something that aren't meant to be publicly accessible unless explicitly
allowed.
--
Thiago H. de Paula Figueiredo
Independent Java, Apache Tapestry 5 and Hibernate consultant, developer,
and instructor
Owner, software architect and developer, Ars Machina Tecnologia da
Informação Ltda.
http://www.arsmachina.com.br
---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]
