Lexical analysis of file names is not exactly 'flawed' but it is hard to get right. Tricks like encoding the separator in unicode or adding extra ././ tend to trip up the simplest implementations. I take your point that the security stuff is tricky, but for most servlets one can define the files/directories it may access pretty easily, So perhaps containers could have a 'deployment mode' where the default permissions are very restrictive, and exceptions are specified in web.xml.
URL: http://www.westpoint.ltd.uk/ - internet recon. ___________________________________________________________________________ To unsubscribe, send email to [EMAIL PROTECTED] and include in the body of the message "signoff SERVLET-INTEREST". Archives: http://archives.java.sun.com/archives/servlet-interest.html Resources: http://java.sun.com/products/servlet/external-resources.html LISTSERV Help: http://www.lsoft.com/manuals/user/user.html
