Don't take my word for it, I'm just a sys-admin. I could easily be wrong...there was just a bunch of traffic last week on the issue, and it was apparently related to 4.1.10. I didn't pay much attention, as it didn't effect me.
John > -----Original Message----- > From: Denny Chambers [mailto:[EMAIL PROTECTED]] > Sent: Thursday, September 26, 2002 12:55 PM > To: Tomcat Users List > Subject: Re: Symlinks > > > i must have broke something in my 4.1.10 build, because I was able to > use symlinks without a problem > > Turner, John wrote: > > >Not sure, I haven't jumped to 4.1.10+ yet except for > miscellaneous testing. > > > > > >The symlink issue was discussed in a fair amount of detail > within the last > >week on this list, as it apparently caught some people by > surprise (those > >who needed symlinks ended up with broken apps when moving to 4.1.10). > >Apparently 4.1.11 (and I assume 4.1.12) have the ability to > turn this on and > >off, while 4.1.10 just has them off, period. > > > >http://marc.theaimsgroup.com/?l=tomcat-user&m=103239739330385&w=2 > > > >John > > > > > > > >>-----Original Message----- > >>From: Denny Chambers [mailto:[EMAIL PROTECTED]] > >>Sent: Thursday, September 26, 2002 12:40 PM > >>To: Tomcat Users List > >>Subject: Re: Symlinks > >> > >> > >>Where is this turned off at? The server I tested against was > >>4.1.10, but > >>I did change the server.xml file, so if it is in there I > >>guess I could > >>have messed it up. Also, I did not start the server with a > -security > >>option, does that matter? > >> > >>Thanks, > >>Denny > >> > >>Turner, John wrote: > >> > >> > >> > >>>Symlinks are off by default in 4.1.10 and higher. Check the > >>> > >>> > >>online release > >> > >> > >>>notes for more information. > >>> > >>>John > >>> > >>> > >>> > >>> > >>> > >>> > >>>>-----Original Message----- > >>>>From: Denny Chambers [mailto:[EMAIL PROTECTED]] > >>>>Sent: Thursday, September 26, 2002 12:30 PM > >>>>To: Tomcat Users List > >>>>Subject: Symlinks > >>>> > >>>> > >>>>Hi All, > >>>> > >>>> Is there any way to tell Tomcat to not follow symlinks? > >>>>If not how > >>>>can I protect my server against malicious symlinks? Is the > >>>>java.io.FilePermissions smart enough to figure these out? > >>>> > >>>>For example if I give read access only to directory "foo" > >>>> > >>>> > >>through the > >> > >> > >>>>java.io.FilePermissions, but inside of "foo", there is a > >>>> > >>>> > >>symlink that > >> > >> > >>>>points to a file "bar", which really exists outside of the > >>>> > >>>> > >>directory > >> > >> > >>>>"foo". Is the Security Manager smart enough to catch this. > >>>> > >>>>I have also found that while I can't see a WEB-INF > >>>> > >>>> > >>directory from the > >> > >> > >>>>browser using a URL like so: > >>>> > >>>> http://myserver:8080/myapp/WEB-INF/, > >>>> > >>>>I can create a symlink in $CATALINA_HOME/webapp/myapp/ which > >>>>points to a > >>>>WEB-INF directory, then I can see that directory as plane > >>>> > >>>> > >>as day. How > >> > >> > >>>>can you protect your server from these sort of things. > >>>> > >>>>Thanks, > >>>>Denny > >>>> > >>>> > >>>>-- > >>>>To unsubscribe, e-mail: > >>>><mailto:[EMAIL PROTECTED]> > >>>>For additional commands, e-mail: > >>>><mailto:[EMAIL PROTECTED]> > >>>> > >>>> > >>>> > >>>> > >>>> > >>>-- > >>>To unsubscribe, e-mail: > >>> > >>> > ><mailto:[EMAIL PROTECTED]> > > > > > >>For additional commands, e-mail: > >> > >> > ><mailto:[EMAIL PROTECTED]> > > > > > >> > >> > >> > >> > > > > > > > >-- > >To unsubscribe, e-mail: > ><mailto:[EMAIL PROTECTED]> > >For additional commands, e-mail: > ><mailto:[EMAIL PROTECTED]> > > > >-- > >To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> >For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> > > > -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]> -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
