Tomcat provides an allowLinking attribute in the StandardContext to enable tomcat running on Linux platform to serve paths associated with the symbolic links. If the value of this attribute is true, symbolic links will be allowed inside the web application, pointing to resources outside the web application base path. In Geronimo-Tomcat server, this attribute can be configured using a system property org.apache.geronimo.tomcat.GeronimoStandardContext.allowLinking. If not specified, the default value of the attribute is false.

This flag MUST NOT be set to true on the Windows platform (or any other OS which does not have a case sensitive filesystem), as it will disable case sensitivity checks, allowing JSP source code disclosure, among other security problems.

  • No labels