ASF Bugzilla – Attachment 25760 Details for
Bug 48960
SSI Servlet should support safe configuration
Home
|
New
|
Browse
|
Search
|
[?]
|
Reports
|
Help
|
New Account
|
Log In
Remember
[x]
|
Forgot Password
Login:
[x]
[patch]
Patch to disable exec by default, new allowExec tag
ssi6.diff (text/plain), 4.47 KB, created by
Yair Lenga
on 2010-07-13 15:52:28 UTC
(
hide
)
Description:
Patch to disable exec by default, new allowExec tag
Filename:
MIME Type:
Creator:
Yair Lenga
Created:
2010-07-13 15:52:28 UTC
Size:
4.47 KB
patch
obsolete
>Only in new: META-INF >diff -u new/SSIFilter.java old/SSIFilter.java >--- new/SSIFilter.java 2010-07-13 15:43:49.000045000 -0400 >+++ old/SSIFilter.java 2010-07-13 15:47:09.000024000 -0400 >@@ -59,8 +59,6 @@ > /** default pattern for ssi filter content type matching */ > protected Pattern shtmlRegEx = > Pattern.compile("text/x-server-parsed-html(;.*)?"); >- /** Unsafe operation (exec cmd) */ >- protected boolean allow_exec = false ; > > > //----------------- Public methods. >@@ -86,13 +84,6 @@ > isVirtualWebappRelative = > Boolean.parseBoolean(config.getInitParameter("isVirtualWebappRelative")); > >- allow_exec = >- Boolean.parseBoolean(config.getInitParameter("allowExec")); >- >- if ( allow_exec ) { >- config.getServletContext().log("SSIServlet.init() SSI invoker started with 'allow_exec' - allowing unsafe exec/include"); >- } ; >- > if (config.getInitParameter("expires") != null) > expires = Long.valueOf(config.getInitParameter("expires")); > >@@ -134,7 +125,7 @@ > new SSIServletExternalResolver(config.getServletContext(), req, > res, isVirtualWebappRelative, debug, encoding); > SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver, >- debug, allow_exec); >+ debug); > > // prepare readers/writers > Reader reader = >diff -u new/SSIProcessor.java old/SSIProcessor.java >--- new/SSIProcessor.java 2010-07-13 15:43:49.000041000 -0400 >+++ old/SSIProcessor.java 2010-07-13 15:47:09.000029000 -0400 >@@ -44,17 +44,17 @@ > protected int debug; > > >- public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug, boolean allow_exec) { >+ public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug) { > this.ssiExternalResolver = ssiExternalResolver; > this.debug = debug; > addBuiltinCommands(); >- if ( allow_exec ) addExecCommands() ; > } > > > protected void addBuiltinCommands() { > addCommand("config", new SSIConfig()); > addCommand("echo", new SSIEcho()); >+ addCommand("exec", new SSIExec()); > addCommand("include", new SSIInclude()); > addCommand("flastmod", new SSIFlastmod()); > addCommand("fsize", new SSIFsize()); >@@ -63,14 +63,10 @@ > SSIConditional ssiConditional = new SSIConditional(); > addCommand("if", ssiConditional); > addCommand("elif", ssiConditional); >- addCommand("else", ssiConditional); > addCommand("endif", ssiConditional); >+ addCommand("else", ssiConditional); > } > >- protected void addExecCommands() { >- addCommand("exec", new SSIExec()); >- } ; >- > > public void addCommand(String name, SSICommand command) { > commands.put(name, command); >@@ -325,4 +321,4 @@ > protected boolean isQuote(char c) { > return c == '\'' || c == '\"' || c == '`'; > } >-} >+} >\ No newline at end of file >diff -u new/SSIServlet.java old/SSIServlet.java >--- new/SSIServlet.java 2010-07-13 15:43:49.000036000 -0400 >+++ old/SSIServlet.java 2010-07-13 15:47:09.000033000 -0400 >@@ -54,8 +54,6 @@ > protected String inputEncoding = null; > /** Output encoding. If not specified, uses platform default */ > protected String outputEncoding = "UTF-8"; >- /** Unsafe operation (exec cmd) */ >- protected boolean allow_exec = false ; > > > //----------------- Public methods. >@@ -73,13 +71,6 @@ > isVirtualWebappRelative = > Boolean.parseBoolean(getServletConfig().getInitParameter("isVirtualWebappRelative")); > >- allow_exec = >- Boolean.parseBoolean(getServletConfig().getInitParameter("allowExec")); >- >- if ( allow_exec ) { >- log("SSIServlet.init() SSI invoker started with 'allow_exec' - allowing unsafe exec/include"); >- } ; >- > if (getServletConfig().getInitParameter("expires") != null) > expires = Long.valueOf(getServletConfig().getInitParameter("expires")); > >@@ -185,7 +176,7 @@ > new SSIServletExternalResolver(getServletContext(), req, res, > isVirtualWebappRelative, debug, inputEncoding); > SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver, >- debug, allow_exec); >+ debug); > PrintWriter printWriter = null; > StringWriter stringWriter = null; > if (buffered) { >@@ -221,4 +212,4 @@ > } > bufferedReader.close(); > } >-} >+} >\ No newline at end of file
<b>You cannot view the attachment while viewing its details because your browser does not support IFRAMEs. <a href="attachment.cgi?id=25760">View the attachment on a separate page</a>.</b>
View Attachment As Diff
View Attachment As Raw
Actions:
View
|
Diff
Attachments on
bug 48960
:
25166
| 25760