On 2025/02/17 14:09:36 Mark Thomas wrote: > On 17/02/2025 11:50, Michael Osipov wrote: > > Folks, > > > > consider the following usecase: > >> <Resources> > >> <PostResources base="/foo/prod" > >> > >> className="org.apache.catalina.webresources.DirResourceSet" > >> webAppMount="/dav" readOnly="true" > >> allowLinking="true" /> > >> ... > >> </Resources> > > > > This, of course does not work. I have to move the allowLinking attribute up > > to Resources which means that all resources are allowed to do that. I'd > > rather prefer something like: > >> <Directory /foo/prod> > >> Options FollowSymLinks > >> </Directory> > > > > Looking at the current code getRoot().getAllowLinking() is invoked, for > > obvious reasons. I am a bit reluctant to allow that globally unless > > absolutely necessary. > > I think it would be worthwile to add to AbstractFileResourceSet which would > > first probe on the set and then consult the root. > > > > WDYT? Shall I file an enhancement request? > > Seems reasonable. > > I think how to handle this for Pre/Post Resources and the main resources > is worth a little more thought. > > Clearly, we want to be able to enable this for Pre/Post Resources > without enabling it for the main resources since that is that whole > point of the argument you make above.
This I do not understand. Why does the set type make difference? It is an opt-in. It would be on a per-resource level. In fact, it does already work implicitly on a per resource level for main resources: > root@deblndw024v:/opt/ports/apache-tomcat-9.0.99/lib/jdbc > # tree > . > ├── oracle > │ ├── ojdbc8.jar -> /opt/oracle/product/19.0.0/client_1/jdbc/lib/ojdbc8.jar > │ ├── oraclepki.jar -> > /opt/oracle/product/19.0.0/client_1/jlib/oraclepki.jar > │ ├── osdt_cert.jar -> > /opt/oracle/product/19.0.0/client_1/jlib/osdt_cert.jar > │ └── osdt_core.jar -> > /opt/oracle/product/19.0.0/client_1/jlib/osdt_core.jar > └── sqlite-jdbc-nonative-3.47.0.0.jar > What about the inverse? > > If this is enabled for the main resources should it automatically be > enabled for Pre/Post Resources? That is effectively what happens as the > moment but do we want to change that? (If we do, likely only for 12.0.x > onwards). My understanding that any element (if applicable) in <Resources> can control whether symlinks are followed or not. Full control. Does this make sense? --------------------------------------------------------------------- To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org For additional commands, e-mail: users-h...@tomcat.apache.org
