Improve file resource manager in Runwar


To ensure secure by default on Windows, implement the following checks into Runwar's custom mapped resource manager to ensure all incoming paths are kosher

  • Verify incoming paths using Path.toRealPath()

  • Limit default servlet handler with extension whitelist

If the web server needs to serve up a static file that's not in the default list, then additional extensions can be specified like so in the server.json:

Also, add these experimental features to help with server migrations.

  • Ability to force case sensitivity for the web server on a case insensitive server like Windows (so you can mimic docker/production in your local dev)

  • Ability to force case insensitivity for the web server on a case sensitive server like Linux (to help people transition from IIS/Windows to Docker/Linux)

If not specified, the default behavior will continue to be to inherit the case sensitivity of the underlying file system. This setting only affects the serving of static files via CommandBox's web server and verification of .cfm files. It does not affect how your CF code interacts with the file system.

There is low level file system logging in Runwar that generates a lot of logs so it's off by default. Provide a way to enable this when troubleshooting file system access via the mapped resource manager:

Since the settings above are experimental, there are no first-class settings in server.json for them. Beware of the performance overhead when forcing case insensitivity on Linux. There is is no performance overhead of forcing case sensitivity on Windows. In fact, it's probably a little faster.



Brad Wood


Brad Wood



Affects versions


Fix versions