Luc Vanlerberghe wrote:
> Wouldn't it be a better idea NOT to expand the contents of the WEB-INF
> and META-INF directories along with the rest of the webapp and expand
> them into some other directory instead?
>
It would certainly be possible to do this, but I'm not sure it would help any on
the security related issues. The key is that calls like this:
URL url = getServletContext().getResource("/WEB-INF/web.xml");
and
InputStream is =
getServletContext().getResourceAsStream("/WEB-INF/web.xml");
still have to work, so you've still got to worry about the same vulnerabilities
anyway. It doesn't hurt at all to look at alternatives -- but this doesn't appear
to significantly improve security to me.
(Don't ask me what I think of stupid operating systems that accept "//" in a
pathname and simply ignore them like Linux does ... grrr).
Craig McClanahan