https://issues.apache.org/bugzilla/show_bug.cgi?id=57251
--- Comment #17 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Mark Thomas from comment #16) > There is nothing stopping users copying an exploded directory into the > appBase in the same way a WAR is copied. The ASF's JIRA instance runs this > way for exactly the security concerns you cite. Yes, but those WARs are being copied locally and can work by using a user other than Tomcat's uid. > I do not see any security benefits that are unique to unpackWARs="false" If Tomcat itself can be remotely exploited to drop a WAR file into webapps/ then it might be auto-deployed without local access (which is what you describe above). -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org