| Date & Time |
|
Date and Time - JavaScript required.
|
|
Welcome to Hi Gopi!
Announcement
Please bear the following rules to make this forum an information rich good online technical resource.
Technical discussions/informative posts only
No Marketing/Donation/Promotion posts
No personal attacks/verbal abuse
NOTE: New users registrations are closed. Please send me an email if you wish to register in this forum.
#1 16-Nov-2007,Fri 08:05:37
- gvvijaykumar
- Active Member
Can we put our uploaded files in side WEB-INF
Hi,
I have a doubt. Can we put our uploading files like confidential files
inside WEB-INF folder like WEB-INF/upload/files
Because i hope no body have direct access from web to that folder
and files.
Is there any effects on web server or application if we put more and more files under WEB-INF folder.
Thanks&Regards,
Vijay Kumar,
Software Engineer.
#2 17-Nov-2007,Sat 06:11:28
- higopi
- Expert Member
Re: Can we put our uploaded files in side WEB-INF
As you might have already known, The WEB-INF directory is 'special'; anything under it is not to be served directly to web clients as it contains Java class files (for servlets etc) and configuration information for the web application. Hence, when an application server receives any requests for /WEB-INF/ it will usually return a '403 forbidden' or even a '404 Not Found' HTTP error.
A vulnerability exists in multiple Win32 servlet engines whereby if you append a dot ('.') to the end of WEB-INF in the requested URL, it is possible to retrieve the contents of any files within that directory.
For example:
http://www.someserver.com/WEB-INF./web.xml
If your server is not based on Win32, you don't need to worry about it or else you need to patch your Application server product for this vulnerability.
Coming back to your question, ideally it should not create any problem if you store your user upload files under /WEB-INF/upload/files/.
You should be able to write and retrieve the files using the physical path of the directory. The server won't load any other directory than the standard J2EE web application directories (like /WEB-INF/lib/ or /WEB-INF/classes/ ). So it wont be a problem even if the /WEB-INF/upload/files/ grows day by day.
But its not advisable to use /WEB-INF/ directory for any other purpose like this. So I would suggest you to use any other file system directory (like /var/upload/files or /home/user/upload/files)
Thanks,
Gopi
Pick any two of "Quality, Quick, Cheap" service from me.
#3 17-Nov-2007,Sat 08:29:00
- gvvijaykumar
- Active Member
Re: Can we put our uploaded files in side WEB-INF
Hi Gopi,
First Thanks for valuable information.
As u advised to use /var/upload/files or /home/user/upload/files.
If the user knows the path they can access all the files list and view directly. But in my application particular user have access to his/her submitted files only and confidential. So i got this thought of putting inside WEB-INF folder.
I have done the process for writing and retrieving files in side WEB-INF using physical path and can able to applying session. Its working in any system. Mine is Linux server and web server is Tomcat 5.5.
And as you stated if we append (.) after WEB-INF like
for me it is giving 404 Error not showing any content of web.xml.
once again i am thankful to your valuable suggestions.
Thanks&Regards,
Vijay Kumar,
Software Engineer.
#4 17-Nov-2007,Sat 21:05:23
- higopi
- Expert Member
Re: Can we put our uploaded files in side WEB-INF
Hi Vijay,
//If the user knows the path they can access all the files list and view directly. //
I am not getting what you say. Do you mean all the users have telnet/ssh access to your server? even then, only if the user knows the path they can access it. If so, even they can read all the JSP source files and crack the business logic used in your code.
If they don't have any other access to the server except web access, then we won't be having our directory (/var/upload/files or /home/user/upload/files) mapped in any of the web path in the application server configuration file. so the users cannot access this path from web browser directly.
But at the same time you can use Java file read/write API to implement the upload and download. Also you can implement the user authentication and authorization from JSP.
Thanks,
Gopi
Pick any two of "Quality, Quick, Cheap" service from me.
#5 19-Nov-2007,Mon 05:39:40
- gvvijaykumar
- Active Member
Re: Can we put our uploaded files in side WEB-INF
Hi Gopi,
Really i was confused in assumptions, I might be thinking in wrong way. Yes users will be having only web access.
And for file upload and downolad, i have used Java File API
in struts action class for authentication and upload/download.
Last edited by gvvijaykumar (19-Nov-2007,Mon 05:41:40)
Thanks&Regards,
Vijay Kumar,
Software Engineer.
#6 10-Dec-2010,Fri 07:46:03
Re: Can we put our uploaded files in side WEB-INF
===================
ORIGINAL POST DELETED!!!!
===================
Hi Alfred,
Original content of this post violates the following:
"No Marketing/Donation/Promotion posts"
Hence, its deleted. If this is repeated, your user account may be banned.
- Admin
Last edited by Alfred (13-Dec-2010,Mon 13:10:39)
Re: Can we put our uploaded files in side WEB-INF
===================
ORIGINAL POST DELETED!!!!
===================
Hi hafizua,
Original content of this post violates the following:
"No Marketing/Donation/Promotion posts"
Hence, its deleted. If this is repeated, your user account may be banned.
- Admin
|
|
