On a tomcat 7 server used by a third party program, the WEB-INF/web.xml file is accessible from user's browser. Is there a way to prevent this from happening?
Asked
Active
Viewed 2,694 times
1 Answers
0
Had a similar issue today. WEB-INF/web.xml was accessible with http://example.com/WEB-INF./web.xml (mind the . in front of /web.xml).
This only happen on Windows servers with tomcat.
To resolve that behavior, edit $TOMCAT_HOME/conf/context.xml and remove allowLinking=true (or set to false) in th <Context ... /> tag. Then restart tomcat.
See also Tomcat Documentation - The Context Container
allowLinking
If the value of this flag is true, symlinks will be allowed inside the web application, pointing to resources inside or outside the web application base path. If not specified, the default value of the flag is false.
NOTE: This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.
chloesoe
- 335
- 2
- 17