For security purposes, Mozilla applications block links to local files (and directories) from remote files. This includes linking to files on your hard drive, on mapped network drives, and accessible via Uniform Naming Convention<http://en.wikipedia.org/wiki/Path_%28computing%29#Uniform_Naming_Convention>(UNC) paths. This *prevents* a number of unpleasant possibilities, including:
- Allowing sites to detect your operating system by checking default installation paths - Allowing sites to exploit system vulnerabilities (e.g., C:\con\con in Windows 95/98) - Allowing sites to detect browser preferences or read sensitive data See here for more info http://kb.mozillazine.org/Links_to_local_pages_don%27t_work -- Dini On Thu, Jun 10, 2010 at 5:18 PM, André Warnier <a...@ice-sa.com> wrote: > mamalacation wrote: > >> >> >> Pid * wrote: >> >>> >>> Why not just fix the URLs? >>> >>> p >>> >>> >>> >> >> I am not sure what you mean by saying "fix the URLs", but in the meantime >> I >> found out how to set the option org.apache.catalina.connector. >> CoyoteAdapter.ALLOW_BACKSLASH=true in conf/catalina.properties, so now it >> almost works! It starts downloading the file, but the filename to be saved >> is path\to\file.ext instead of file.ext. >> >> Does anybody know how this can be fixed? >> > > No. But before you find a "solution" and create a big security issue, I > suggest that from now on you check this with different browsers, and > particularly different IE versions. > > I think that the "fix" you found is really a kludge, in that it kind of > works by making some pieces of software believe that this is an acceptable > file name, while other pieces may see this as a file path. > But it seems *really* dangerous to me. > > As pid indicated, you should fix the problem, not the symptom. > Or you will end up sorry, I am quite certain. > > Fixing the URLs in this case means to replace the %5C's (escaped \) by > escaped "/" characters, before you send the links to the browser. > > > > > --------------------------------------------------------------------- > To unsubscribe, e-mail: users-unsubscr...@tomcat.apache.org > For additional commands, e-mail: users-h...@tomcat.apache.org > >
