https://issues.apache.org/bugzilla/show_bug.cgi?id=57251
--- Comment #19 from Mark Thomas <ma...@apache.org> --- (In reply to Christopher Schultz from comment #17) > (In reply to Mark Thomas from comment #16) > > There is nothing stopping users copying an exploded directory into the > > appBase in the same way a WAR is copied. The ASF's JIRA instance runs this > > way for exactly the security concerns you cite. > > Yes, but those WARs are being copied locally and can work by using a user > other than Tomcat's uid. Nothing stops this other user from copying an exploded directory to the appBase rather than an unexploded WAR. > > I do not see any security benefits that are unique to unpackWARs="false" > > If Tomcat itself can be remotely exploited to drop a WAR file into webapps/ > then it might be auto-deployed without local access (which is what you > describe above). Either the appBase is writeable (in which case there is a small security risk) or it isn't. A writeable (by the Tomcat user) appBase is independent of whether you deploy applications as WARs or exploded directories. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org