(tomcat) branch main updated: Provide guidance on allowing write access to the web application

markt Sat, 07 Jun 2025 01:32:27 -0700

This is an automated email from the ASF dual-hosted git repository.

markt pushed a commit to branch main
in repository https://gitbox.apache.org/repos/asf/tomcat.git



The following commit(s) were added to refs/heads/main by this push:
     new 91d1d9d0e2 Provide guidance on allowing write access to the web 
application
91d1d9d0e2 is described below

commit 91d1d9d0e2a241fbf9e5cb5a46e572b0962ef973
Author: Mark Thomas <ma...@apache.org>
AuthorDate: Sat Jun 7 09:32:02 2025 +0100

    Provide guidance on allowing write access to the web application
---
 webapps/docs/changelog.xml       |  5 +++++
 webapps/docs/default-servlet.xml | 25 ++++++++++++++-----------
 webapps/docs/security-howto.xml  | 13 +++++++++++++
 3 files changed, 32 insertions(+), 11 deletions(-)

diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 3b17d479ec..00ef06c51e 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -228,6 +228,11 @@
   <subsection name="Web applications">
     <changelog>
       <!-- Entries for backport and removal before 12.0.0-M1 below this line 
-->
+      <add>
+        Documentation. Provide more explicit guidance regarding the security
+        considerations for enabling write access to the web application via
+        WebDAV, HTTP PUT requests or similar. (markt)
+      </add>
     </changelog>
   </subsection>
   <subsection name="Other">
diff --git a/webapps/docs/default-servlet.xml b/webapps/docs/default-servlet.xml
index 362fb40096..c9006b89db 100644
--- a/webapps/docs/default-servlet.xml
+++ b/webapps/docs/default-servlet.xml
@@ -150,17 +150,20 @@ Tomcat.</p>
         directory listing will be shown.
   </property>
   <property name="localXsltFile">
-        You may also customize your directory listing by directory by
-        configuring <code>localXsltFile</code>. This must be a file in the
-        directory where the listing will take place to with a
-        <code>.xsl</code> or <code>.xslt</code> extension. This overrides
-        <code>globalXsltFile</code> and <code>contextXsltFile</code>. If this
-        value is present but a file does not exist, then
-        <code>contextXsltFile</code> will be used. If
-        <code>contextXsltFile</code> does not exist, then
-        <code>globalXsltFile</code> will be used. If
-        <code>globalXsltFile</code> does not exist, then the default
-        directory listing will be shown.
+    <p>You may also customize your directory listing by directory by 
configuring
+    <code>localXsltFile</code>. This must be a file in the directory where the
+    listing will take place to with a <code>.xsl</code> or <code>.xslt</code>
+    extension. This overrides <code>globalXsltFile</code> and
+    <code>contextXsltFile</code>. If this value is present but a file does not
+    exist, then <code>contextXsltFile</code> will be used. If
+    <code>contextXsltFile</code> does not exist, then
+    <code>globalXsltFile</code> will be used. If <code>globalXsltFile</code>
+    does not exist, then the default directory listing will be shown.</p>
+    <p>Any <code>localXsltFile</code> is both a Tomcat configuration file and
+    part of the web application. As per the Tomcat security model, such files
+    are assumed to be trusted. Write access to this file should, like write
+    access to any Tomcat configuration file, be limited to trusted users. This
+    incudes users with remote access via WebDAV, PUT or similar.</p>
   </property>
   <property name="input">
         Input buffer size (in bytes) when reading
diff --git a/webapps/docs/security-howto.xml b/webapps/docs/security-howto.xml
index c167f00fce..a28399a5f3 100644
--- a/webapps/docs/security-howto.xml
+++ b/webapps/docs/security-howto.xml
@@ -178,6 +178,19 @@
    </subsection>
   </section>
 
+  <section name="User web applications">
+    <p>Web applications are assumed to be trusted. It is not safe to deploy web
+    applications from untrusted sources.</p>
+
+    <p>Any application functionality that permits the modification of a web
+    application (WebDAV, HTTP PUT requests etc.) may impact the security of
+    either the web application or the Tomcat instance on which it is running.
+    Such functionality should either be restricted to trusted users or
+    limited in scope (e.g. via security constraints) such that users with 
access
+    to the functionality are unable to imapct the security of either the web
+    application or the Tomcat instance on which it is running.</p>
+  </section>
+
   <section name="Security manager">
     <p>Support for running under a security manager has been removed for Tomcat
     11 onwards. Similar (arguably better) functionality maybe obtained by


---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

(tomcat) branch main updated: Provide guidance on allowing write access to the web application

Reply via email to