https://bz.apache.org/bugzilla/show_bug.cgi?id=61369
--- Comment #5 from Christopher Schultz <ch...@christopherschultz.net> --- (In reply to Mark Thomas from comment #3) > The canonical path check is still required to enforce the required case > sensitivity. > > The Window APIs, most likely for reasons dating back to how 8.3 filenames > were stored [1], ignore trailing periods in file names. That explains why > allowLinking="true" enables this vulnerability. As far as the OS APIs are > concerned, "/WEB-INF./web.xml" is the same as "/WEB-INF/web.xml" and setting > allowLinking="true" bypasses the additional checks Tomcat performs to ensure > an exact match between the requested path and the canonical path. > > Just need confirmation from the OP that allowLinking="true" was being used > and this issue can be closed. > > [1] > https://superuser.com/questions/585097/why-does-ntfs-disallow-the-use-of- > trailing-periods-in-directory-names I propose the following: 1. On Windows, check for "/WEB-INF." and any other special paths which are already checked for access. and/or 2. On Windows, if allowLinking="true", drop a GIANT ERROR to stdout and do a Thread.sleep(5mins) before proceeding with bringing up the server. -- You are receiving this mail because: You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
