Ok, I see that, and it's kind of scary! That seems like a pretty poor
design for the compiler not to handle that kind of change.
Thanks for explaining...
Dave
Tim Lucia wrote:
If you ask for /path/to/some.JSP, you will see the source code of the jsp,
since the jsp compiler is mapped to *.jsp (and not *.JSP).
Thus, someone can see the internal workings of your jsp and make 'better'
hacking attempts. Is there something else about security you are concerned
with?
-----Original Message-----
From: David Kerber [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 07, 2006 9:35 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Yes, that was me, and that's why I chimed in here. However, still nobody
has explained in any detail how this is a security risk other than reducing
the number of guesses you have to make to find static resources in a
brute-force hacking attempt...
Tim Lucia wrote:
I am sure I have seen this before on this list, and the answer I
remember is that the case sensitivity part is only for file names.
Servlet mappings are case-sensitive regardless because the spec says so.
Read this as well, although it says "all case sensitivity checks will
be disabled" it doesn't define "case sensitivity checks".
http://tomcat.apache.org/tomcat-5.5-doc/config/context.html
Read this too
http://marc.theaimsgroup.com/?l=tomcat-user&m=114002237714355&w=2
(David Kerber started this one.)
-----Original Message-----
From: David Delbecq [mailto:[EMAIL PROTECTED]
Sent: Tuesday, March 07, 2006 9:04 AM
To: Tomcat Users List
Subject: Re: How can I set tomcat NOT Case Sensitive
Looking at code, it seems the casesensitive flag is used when a
ressources is loaded from filesystem (amongst others).
if casesensitive is true, the absolute filename of loaded ressource is
compared to the requested ressource (in filedircontext). If
casesensitive is removed, anything accepted by new file() is returned
as is. I don't know if the casesensistive flag is used by anything else
then file loading.
David Kerber a écrit :
If it works that way (and I haven't tried it), then I would say that
the caseSensitive="false" flag was not working as I would expect. I
would expect that things defined for /MYNAME would work for /myname if
caseSensitive was false.
Can anybody tell me definitively how this security risk works?
David Delbecq wrote:
I suspect a call to /something.JSP will not go thru the jsp engine.
I can also guess that calls the security constraints applied on
/servlet will not apply on /SERVLET
David Kerber a écrit :
I've seen that notice, but could you explain to me how that works?
I don't see how this could cause any security issues, except for
slightly reducing the number of attempts you would need in a
brute-force hacking attempt.
Dave
David Delbecq wrote:
Be careful, there are security issues with this (jsp code
disclosure!)!!
David Kerber a écrit :
<Context caseSensitive="false">
Buddy wu wrote:
2006/3/7, Long <[EMAIL PROTECTED]>:
Buddy wu wrote:
I wan't to know there is any way to set tomcat NOT CASE
SENSITIVE in URL
I mean: when I write in browser's 'http://localhost/test.html'
equals to 'http://localhost/TEST.htm'. Can I do it ? or just in
WINDOWS can but Linux/unix can't?
Right, url is case-insensitive under Windows because the file
system
But, the FACT is that under Windows the URL is CASW-SENSITIVE,
not case-insecsitive , why?
I've tried, under Windows, test.html and TEST.html is diffrent in
tomcat server. Is there a parameter to set??
can't tell a difference between test.html and TEST.html. The
difference is there under Linux/UNIX.
Long
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
