在WEB-INF java中显示文件路径是否存在安全风险 [英] Is it a security risk to show a path to a file inside WEB-INF java

问题描述

想知道这是否会带来潜在的安全风险.我有一个 java servlet web 应用程序，在每个页面的底部，我生成一个报告页面问题"链接，其中包括原始 url 请求以及请求转发到的 JSP 的路径.问题是 JSP 页面有时位于 WEB-INF 文件夹中.这是潜在的安全风险吗?因为我可能会显示 WEB-INF 的内容?

Was wondering whether this would be a potential security risk. I have a java servlet web app and at the bottom of every page, I generate a "report page problem" link which includes the original url request as well as the path to the JSP that the request was forwarded to. The thing is the JSP pages are sometimes in the WEB-INF folder. Is this a potential security risk? As I might be showing the contents of WEB-INF?

它可能表明请求已转发到

It might show that the request was forwarded to

/WEB-INF/views/user/ViewUser.jsp for example.

推荐答案

您可以在打印路径时删除部分路径，但我不明白为什么用户需要知道请求是从哪个 jsp 转发的.否则这不是一个很大的问题，因为 Servlet 容器不会提供 WEB-INF 中的任何内容.通过将您的 JSP 放在那里，您可以防止任何人通过在浏览器中按名称导航到 JSP 来直接访问它.

You could remove part of the path while printing the path and I do not see why users need to know from which jsp the request was forwarded. Otherwise it is not a very big problem as Servlet containers won't serve any content in WEB-INF. By putting your JSPs there, you prevent anyone from directly accessing a JSP by navigating to it in the browser by name.

这篇关于在WEB-INF java中显示文件路径是否存在安全风险的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！