1 Reply Latest reply on Jun 23, 2008 5:47 PM by peterj

    new File(".") points to users Desktop. Possible security bug

    dietice Jun 23, 2008 7:11 AM

      Hi All,

      I was wandering if some of you could help me out with this. I have an web app running under JBoss. I have a class that has a static method. In this class I have the following code:

      System.out.println( "Path = " + new File(".").getAbsolutePath() );


      When I start jboss and goto to the page that executes this method I see this in my console:

      Path = C:\Documents and Settings\User\Desktop\

      I'm was wandering shouldn't JBoss prevent accessing anything outside the jboss directory. If so, is this a possible security bug?

      Thanks in advance,
      Martyn



      • 844 Views
      • Tags:
        • 1. Re: new File(
          peterj
          peterj Jun 23, 2008 5:47 PM (in response to dietice)

          Servlets, EJBs, and their supporting classes can access anything on the server. Unless you are really into setting security permissions, in which case you can limit what they have access to.

          But as far as this being a security bug? No, it isn't. A security bug would be if a user could enter a url such as http://hostname:8080/home/xxx/foo.doc to access a document in user xxx's home directory. In other words, only files within a WAR file (not in meta-inf or web-inf), or in a directory set up for static content, should be accessible from a URL to have a secure environment.

            • Actions