Symlinks are off by default in 4.1.10 and higher. Check the online release notes for more information.
John > -----Original Message----- > From: Denny Chambers [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 12:30 PM > To: Tomcat Users List > Subject: Symlinks > > > Hi All, > > Is there any way to tell Tomcat to not follow symlinks? > If not how > can I protect my server against malicious symlinks? Is the > java.io.FilePermissions smart enough to figure these out? > > For example if I give read access only to directory "foo" through the > java.io.FilePermissions, but inside of "foo", there is a symlink that > points to a file "bar", which really exists outside of the directory > "foo". Is the Security Manager smart enough to catch this. > > I have also found that while I can't see a WEB-INF directory from the > browser using a URL like so: > > http://myserver:8080/myapp/WEB-INF/, > > I can create a symlink in $CATALINA_HOME/webapp/myapp/ which > points to a > WEB-INF directory, then I can see that directory as plane as day. How > can you protect your server from these sort of things. > > Thanks, > Denny > > > -- > To unsubscribe, e-mail: > <mailto:[EMAIL PROTECTED]> > For additional commands, e-mail: > <mailto:[EMAIL PROTECTED]> > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
