[jboss-dev] Re: VFS 2.0.0.CR1
Rémy Maucherat
remy.maucherat at gmail.com
Mon May 26 06:42:19 EDT 2008
On Fri, May 23, 2008 at 4:27 PM, Scott Stark <sstark at redhat.com> wrote:
> JBVFS-11 is based on tomcat code exploit issues, so its only critical if
> tomcat is using the vfs for this check. I don't think we currently are. Its
> a critical issue in order to be able to update the tomcat code to be based
> on vfs, but probably not for the vfs 2.0.0.GA since I don't see much work
> being done on the tomcat integration side for the initial jbossas release.
Tomcat uses the VFS right now (through a dir context implementation,
which was very easy to do). The VFS would need an optional case
sensitivity option (which would default to case insensitive, and would
probably do nothing expect if based on straight files). The best way
to implement it is normally to compare the path that is requested with
the canonical path of the file (you already quoted the code in the
forum topic). I think moving Tomcat away from the VFS would be bad.
Another option would be to see if it is possible to hack something in
the VFS dir context implementation that Tomcat uses (I'll look at the
API that is exposed to see if it is possible).
Rémy
More information about the jboss-development
mailing list