Wouldn't it be a better idea NOT to expand the contents of the WEB-INF
and META-INF directories along with the rest of the webapp and expand
them into some other directory instead?
Instead of making everything available and try to restrict access
afterwards, it would be much safer not to make it available in the first
place...
In fact the same goes for .jsp pages themselves too. The container
recognises incoming request for those pages anyway and will know where
to find the source.
The only things that should be left in the webapps directory is any
static content (or the other way round of course, make a separate
directory with all static content and let that be served by e.g. Apache)
I checked the servlet specification (both 2.2 and 2.3pfd) and I don't
see anything that conflicts with this. If a servlet or .jsp page wants
the static contents of an otherwise dynamic page (such as the source of
a jsp page) it has to use the getResource or getResourceAsStream method
of the ServletContext interface anyway, so the container can return the
correct URL or stream.
I realise this will require some major redesigning, but it would make a
lot of security leaks next to impossible (e.g. misconfiguring apache
wouldn't allow the clients to see any sources even if they inadvertently
have total access to the webapp directory, the problems with
case-sensitivity wouldn't be that security-sensitive any more, etc...).
In a perfect world, Tomcat would scan the web.xml file, determine what
files are actually dynamic content and move these to a separate
directory on the same level as webapps/
However, in a first phase, only the WEB-INF and the META-INF directory
could be moved.
Just firing some ideas...
Luc Vanlerberghe
"Craig R. McClanahan" wrote:
>
> Jon Stevens wrote:
>
> > on 12/9/2000 7:07 PM, "[EMAIL PROTECTED]"
> > <[EMAIL PROTECTED]> wrote:
> >
> > > + (jspFile.toUpperCase().indexOf("/WEB-INF/") != 0) ||
> > > + (jspFile.toUpperCase().indexOf("/META-INF/") != 0))
> >
> > Seems like it would be better to define this as a constant somewhere...
> >
> > public static final String WEB_INF = "/WEB-INF";
> >
>
> I suppose, although there's only one place within the core servlet container
> that these directories are significant (in the module that handles static
> resources), so a constant would only be used once.
>
> In the case at hand, this is an *application* level component (the ShowSource
> custom tag used on the "source.jsp" page, inherited back from JSDK 2.1 days)
> that is deliberately ignoring the restrictions of the servlet spec, and you
> would not want to make compiling it dependent on the servlet container core
> classes anyway ...
>
> >
> > Also, I think you should remove the trailing / because the extra character
> > comparison isn't needed and could cause issues if it isn't there (although
> > it probably wouldn't be...). :-)
>
> Your suggestion would mean I could not have a directory "WEB-INF-stuff" or
> "META-INF-data" in my webapp treated like any other directory. That's going
> beyond protecting people and into the realm of infringing their freedom :-).
>
> >
> > -jon
> >
> > --
> > Honk if you love peace and quiet.
>
> Craig
