The current configuration of the SSI module is "All" or "None". The "ALL" option will expose all the legacy Apache SSI directive (echo, printenv, if, exec, ...). As documented, allowing SSI will allow execution of arbitrary programs using the "exec". As a result, there is no safe way to expose sites/projects containing SSI directive, without taking a security risk, or reviewing of every file. The "exec" directive, with the cmd option is a major risk. Even for Apache, you have the option to allowing the "safe" include (includeNoExec). The includeNoExec allow pages to be served, even when the content is not reviewed, or when users are allowed to upload content to the site. I have a big site which need to be converted into JSP. I would like to use the SSI servlet to allow for transition over time. The extra risk from ( from exec cmd) make it impossible to deploy the SSI. My request: Modify the configuration of SSI as follow: By default, it will only allow "safe" directive (no exec cmd=...). This will eliminate the risk from arbitrary execution of commands ("del *.*"). It will also remove many potentail load problems. The cmd= should only be allowed using a directive like "allowUnsafeExec", which will default to false. I think that the change will make it easier to use the SSI feature, without exposing the server to big risk. The risk associated with the "safer" version of SSI is similar to the risk from running JSP pages.
Patches for enhancements are always welcome
Created attachment 25166 [details] Replacement for SSIServlet.java SSIProcessor.java SSIFilter.java Attached is a quick fix that adds 'allowExec' parameter to the SSI servlet and filter. I could not build the complete Tomcat tree - I'll be happy to test any patched version with this (or similar change). Overall < 50 lines of changes. Basic logic: remove the exec command from the SSIProcessor, unless the allow_exec is true.
Will you take a patch for Tomcat 5.5 ? I'm using RedHat5, which has a Tomcat 5.5 bundled in. It's much easier to get a security upgrade installed, than to get a new version upgrade.
*** Bug 49520 has been marked as a duplicate of this bug. ***
(In reply to comment #4) > *** Bug 49520 has been marked as a duplicate of this bug. *** Mark, Is there anything I can do to speed up the inclusion of this change ? I've noticed it did not make it for 6.0.28, where few other CGI/SSI related changed were incorporated. I would love to use the SSI, but I can not use it because of the security reisk of the "unsafe" include/exec.
Providing patches in diff -u format would help.
Created attachment 25760 [details] Patch to disable exec by default, new allowExec tag Patch for three files, created against 6.0.26-src
The diff is inverted and the patch is using tabs rather than spaces. I should eb able to work with that but you might need to fix it.
In the end I used the patch a guide and write a new one. Some additional comments: - if you do an svn diff against a normal source tree patches usually apply cleanly - new features should be documented The patch has been applied to truck and proposed for 6.0.x
Mark, Thanks for taking the change. I'll follow you suggestions regarding svn diff for the next time. Do I have to submit anything for the change to flow to 7.X ? Yair
Sorry truck should have been trunk and trunk == 7.0.x so it is already there.
Fixed in 6.0.x and will be included in 6.0.29 onwards.