I do this by not allowing the upload tool to write files with ".jsp" or ".jspx" extensions in the first place. I also disallow ".." in any part of the filename.
You could also write a filter that scans any requests going to that directory and checks for those extensions. On Fri, 2004-10-29 at 18:05, Chris Lawder wrote: > Hello, > > Can somebody please point me to documentaion and examples that describe > how to disallow the execution of .jsp or any other scripts/binaries > within a single directory of a webapplication? Part of the web app, is > being allowed to upload reports which can then be read and downloaded by > another. At this time I can upload a .jsp file and it will run in that > directory. > > I have found much stuff on SecurityManager and syntax within the > catalina.policy file but nothing yet that really explains to me what I > need to do to accomplish what I described above. My attempts so far at > proper catalina.policy systax have not worked. > > This is a pure tomcat environment running Tomcat 4.1.30 at this time. > > Other comments regarding the proper use of an upload directory and it's > security are welcome. > > Thank you. > > Chris > > --------------------------------------------------------------------- > To unsubscribe, e-mail: [EMAIL PROTECTED] > For additional commands, e-mail: [EMAIL PROTECTED] > > --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
