https://issues.apache.org/bugzilla/show_bug.cgi?id=57251
--- Comment #20 from Francisco A. Lozano <floz...@gmail.com> --- (In reply to Mark Thomas from comment #19) > (In reply to Christopher Schultz from comment #17) > > (In reply to Mark Thomas from comment #16) > > > There is nothing stopping users copying an exploded directory into the > > > appBase in the same way a WAR is copied. The ASF's JIRA instance runs this > > > way for exactly the security concerns you cite. > > > > Yes, but those WARs are being copied locally and can work by using a user > > other than Tomcat's uid. > > Nothing stops this other user from copying an exploded directory to the > appBase rather than an unexploded WAR. But this other user can be more tightly controlled, because it doesn't execute anything. The user that writes doesn't execute, and the user that executes doesn't write. It's a pretty common security pattern http://en.wikipedia.org/wiki/W%5EX > > > > I do not see any security benefits that are unique to unpackWARs="false" > > > > If Tomcat itself can be remotely exploited to drop a WAR file into webapps/ > > then it might be auto-deployed without local access (which is what you > > describe above). > > Either the appBase is writeable (in which case there is a small security > risk) or it isn't. A writeable (by the Tomcat user) appBase is independent > of whether you deploy applications as WARs or exploded directories. But when you use WARs you hit this issue in Tomcat 8 and not in Tomcat 7/6. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
