[jboss-dev-forums] [Design the new POJO MicroContainer] - Re: VFS security issues for jbossweb

[mstruk]

I looked into this issue, and I have a working solution (not yet commited). 

As Scott mentioned briefly - there is a problem determining the actual name of the file reliably across operating systems. On Windows where filesystem is not case sensitive canonical name is reliable. On Unix when there are no symbolic links canonical name is reliable as well. However, if symbolic links are present, canonical name will return the name of the file pointed to by the link - likely a different name than returned by parent.list() - name matching will fail and files and directories that do exist will appear to not exist.

Windows NTFS also has support for directory links (junctions), but these are invisible to java and pose no problem.

As far as I understand there is no need to turn on case sensitivity on unix platforms - so extra name checking in addition to File.exists() is redundant (even unreliable if symlinks are present).

Also as I understand Tomcat integration code would be the only one to require this functionality, so it should be the one to turn on case sensitivity for specific VFS contexts only - by adding an option '?caseSensitive=true' to VFS context URL.

Maybe there could be some system property set in run.bat, but not in run.sh, to help tomcat integration code decide whether to use VFS case sensitivity or not.

I also added a system property (jboss.vfs.forceCaseSensitive=true) that can be used to force case sensitivity on all VFS filesystem contexts, although I don't see why anyone would need that.

If everything sounds ok I'll commit, and then someone can try it with tomcat integration code.

Cheers,

- marko

View the original post : http://www.jboss.com/index.html?module=bb&op=viewtopic&p=4156509#4156509

Reply to the post : http://www.jboss.com/index.html?module=bb&op=posting&mode=reply&p=4156509