Message-ID: <1494810315.298004.1368884592955.JavaMail.email@example.com> Subject: Exported From Confluence MIME-Version: 1.0 Content-Type: multipart/related; boundary="----=_Part_298003_621960952.1368884592955" ------=_Part_298003_621960952.1368884592955 Content-Type: text/html; charset=UTF-8 Content-Transfer-Encoding: quoted-printable Content-Location: file:///C:/exported.html
There are two parts to serving aliased files with Jetty: alias detection= and then alias serving.
Jetty runs in a mode where all file accesses are checked for aliases, su= ch as case insensitivity, short names, symbolic links and extra characters = (Eg %00).
Alias requests are a security problem because web application security c= onstraints are applied with case sensitive URL patterns. For example, if a = security constraint is place on a /mySecretFolder/* and alias checking was = not implemented then on a win32 system the following requests could retriev= e files from that URL:
File name aliases come in many forms including case insensitivity, VMS v= ersion numbers, Unix symbolic links, 8.3 short names, etc. While some of th= ese aliases (eg symbolic links) are deliberate, there is no general way to = tell this in portable 100% java.
Jetty detects aliases by comparing the file's absolutePath with its cano= nicalPath.
Alias detection can be turned off by setting the System Property
rg.mortbay.util.FileResource.checkAliases to false. If alias checkin=
g is not used, then greater care is needed when designing security constrai=
nts. It is recomended that a restrictive constraint be applied to a whole s=
ubtree of URL space and then selective constraints be applied to relax secu=
rity only for specific URLs.
By default, Jetty checks for alias and disallows the serving of aliased =
files. If instead you wish to allow aliased files to be served, then you se=
t the <init-param> called "aliases" to "true" fo=