Not sure, I haven't jumped to 4.1.10+ yet except for miscellaneous testing.
The symlink issue was discussed in a fair amount of detail within the last week on this list, as it apparently caught some people by surprise (those who needed symlinks ended up with broken apps when moving to 4.1.10). Apparently 4.1.11 (and I assume 4.1.12) have the ability to turn this on and off, while 4.1.10 just has them off, period. http://marc.theaimsgroup.com/?l=tomcat-user&m=103239739330385&w=2 John > -----Original Message----- > From: Denny Chambers [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 12:40 PM > To: Tomcat Users List > Subject: Re: Symlinks > > > Where is this turned off at? The server I tested against was > 4.1.10, but > I did change the server.xml file, so if it is in there I > guess I could > have messed it up. Also, I did not start the server with a -security > option, does that matter? > > Thanks, > Denny > > Turner, John wrote: > > >Symlinks are off by default in 4.1.10 and higher. Check the > online release > >notes for more information. > > > >John > > > > > > > > > >>-----Original Message----- > >>From: Denny Chambers [mailto:[EMAIL PROTECTED]] > >>Sent: Thursday, September 26, 2002 12:30 PM > >>To: Tomcat Users List > >>Subject: Symlinks > >> > >> > >>Hi All, > >> > >> Is there any way to tell Tomcat to not follow symlinks? > >>If not how > >>can I protect my server against malicious symlinks? Is the > >>java.io.FilePermissions smart enough to figure these out? > >> > >>For example if I give read access only to directory "foo" > through the > >>java.io.FilePermissions, but inside of "foo", there is a > symlink that > >>points to a file "bar", which really exists outside of the > directory > >>"foo". Is the Security Manager smart enough to catch this. > >> > >>I have also found that while I can't see a WEB-INF > directory from the > >>browser using a URL like so: > >> > >> http://myserver:8080/myapp/WEB-INF/, > >> > >>I can create a symlink in $CATALINA_HOME/webapp/myapp/ which > >>points to a > >>WEB-INF directory, then I can see that directory as plane > as day. How > >>can you protect your server from these sort of things. > >> > >>Thanks, > >>Denny > >> > >> > >>-- > >>To unsubscribe, e-mail: > >><mailto:[EMAIL PROTECTED]> > >>For additional commands, e-mail: > >><mailto:[EMAIL PROTECTED]> > >> > >> > >> > > > >-- > >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
