Where is this turned off at? The server I tested against was 4.1.10, but I did change the server.xml file, so if it is in there I guess I could have messed it up. Also, I did not start the server with a -security option, does that matter?
Thanks, Denny Turner, John wrote: >Symlinks are off by default in 4.1.10 and higher. Check the online release >notes for more information. > >John > > > > >>-----Original Message----- >>From: Denny Chambers [mailto:[EMAIL PROTECTED]] >>Sent: Thursday, September 26, 2002 12:30 PM >>To: Tomcat Users List >>Subject: Symlinks >> >> >>Hi All, >> >> Is there any way to tell Tomcat to not follow symlinks? >>If not how >>can I protect my server against malicious symlinks? Is the >>java.io.FilePermissions smart enough to figure these out? >> >>For example if I give read access only to directory "foo" through the >>java.io.FilePermissions, but inside of "foo", there is a symlink that >>points to a file "bar", which really exists outside of the directory >>"foo". Is the Security Manager smart enough to catch this. >> >>I have also found that while I can't see a WEB-INF directory from the >>browser using a URL like so: >> >> http://myserver:8080/myapp/WEB-INF/, >> >>I can create a symlink in $CATALINA_HOME/webapp/myapp/ which >>points to a >>WEB-INF directory, then I can see that directory as plane as day. How >>can you protect your server from these sort of things. >> >>Thanks, >>Denny >> >> >>-- >>To unsubscribe, e-mail: >><mailto:[EMAIL PROTECTED]> >>For additional commands, e-mail: >><mailto:[EMAIL PROTECTED]> >> >> >> > >-- >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
