https://bz.apache.org/bugzilla/show_bug.cgi?id=61369
Mark Thomas <ma...@apache.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |NEEDINFO --- Comment #3 from Mark Thomas <ma...@apache.org> --- The canonical path check is still required to enforce the required case sensitivity. The Window APIs, most likely for reasons dating back to how 8.3 filenames were stored [1], ignore trailing periods in file names. That explains why allowLinking="true" enables this vulnerability. As far as the OS APIs are concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting allowLinking="true" bypasses the additional checks Tomcat performs to ensure an exact match between the requested path and the canonical path. Just need confirmation from the OP that allowLinking="true" was being used and this issue can be closed. [1] https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of-trailing-periods-in-directory-names -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org