Markus Schönhaber wrote:
André Warnier:
the filesystem which matters. If the filesystem is case-insensitive, it
doesn't matter whether the URL is /ABC.PDF or /abc.pdf, does it ?
No. Try
http://localhost:8080/tomcat.gif
and
http://localhost:8080/tomcaT.gif
with a default Tomcat install.
Sorry, I was only reasoning this platonically.
And apparently I was wrong, at least on my Windows Tomcat 5.5.
The second access above gives a 404.
So what's the deal again ?
Under Windows, one can create a file named "tomcat.gif" OR "tomcaT.gif",
and the filesystem will effectively record the filename with the
capitalisation as given when creating the file.
Suppose I have created it as "tomcat.gif".
With a text editor (or whatever) I can open this file by specifying (in
the File..open dialog), a name typed in as "tomcaT.gif" (I just tried).
Thus at that level it is case-insensitive.
I can also not create another file in the same directory, named
"tomcaT.gif". If I try, I get a message saying that a file with the
same name already exists (meaning the "tomcat.gif"). Thus at that level
also it is case-insensitive.
However, via Tomcat (like the above link), if I specify a URL of
"tomcaT.gif", I get a 404.
So apparently Tomcat does not just use the standard Windows file..open
function, it runs additional checks.
Good.
Because if it did not, then I could request /myapp/web-inf/anything and
get it, bypassing the /WEB-INF/ protection.
In the Tomcat on-line documentation, both for 5.5. and 6.0, for the
Context element, I find the following explanation for the attribute
"caseSensitive" :
"If the value of this flag is true, all case sensitivity checks will be
disabled. If not specified, the default value of the flag is true.
NOTE: This flag MUST NOT be set to false on the Windows platform (or any
other OS which does not have a case sensitive filesystem), as it will
disable case sensitivity checks, allowing JSP source code disclosure,
among other security problems."
I personally find this paragraph rather obscure, since the first and
third phrase seem to contradict eachother.
In the 1st one it says that, if set to true, all case sensitivity checks
will be disabled. (true -> disabled)
In the third, it says that setting it to false will disable case
sensitivity checks. (false -> disabled)
So both true and false disable case-sensitivity checks.
Mmmmm.. in the quantum realm maybe, but in Tomcat ?
Should the first phrase not read
"If the value of this flag is true, all case sensitivity checks will be
*enabled*."
?
I also wonder what the purpose of this attribute really is, in fact.
Should this not always be left to "case sensitive = true" ?
- under Windows or any case-insensitive filesystem, it should be left to
"true". Ok, understandable.
- but under a case-sensitive filesystem, what would be a good reason to
set it to "false" ?
---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org
For additional commands, e-mail: users-h...@tomcat.apache.org
