Issues » Read access to restricted files in Tomcat on Windows

Issue: SI-43
Date: Mar 13, 2017 12:00:00 AM
Severity: Moderate
Requires Admin Access: No
Fix Version: n/a
Credit: Client
Description:

When running on an OS which does not have a case sensitive filesystem (i.e. Windows), you must not run with the "allowLinking" options turned on:  https://tomcat.apache.org/tomcat-8.0-doc/config/resources.html  Running in this environment with this setting set to true, sensitive files like those located in the META-INF can be exposed with the properly formatted browser request.

This setting is located in your context.xml - i.e. "<Resources allowLinking="true" />"

Back to the top