WebSEAL performs security checks on client requests to junctioned back-end servers based on the file paths specified in the URL. A compromise in this security check can occur because Win32 file systems allow two different methods for accessing long file names.
The first method acknowledges the entire file name. For example:
abcdefghijkl.txt
The second method recognizes the old 8.3 file name format for backward compatibility. For example:
abcdef~1.txt
When you create junctions in a Windows environments, it is important to restrict access control to one object representation only and not allow the possibility of "back doors" that bypass the security mechanism.
The –w option on a junction provides the following measures of protection:
When the junction is configured with the –w option, a user cannot avoid an explicit ACL on a long file name by using the short (8.3) form of the file name. The server returns a "403 Forbidden" error on any short form file name entered.
If a file or directory contains trailing dots, a 403 "Forbidden" error is returned.
The –w option is also supported on virtual host junctions. See Virtual host junctions and Command option summary: Virtual host junctions.