Summary: | SSI Servlet should support safe configuration | ||
---|---|---|---|
Product: | Tomcat 6 | Reporter: | Yair Lenga <yair.lenga> |
Component: | Catalina | Assignee: | Tomcat Developers Mailing List <dev> |
Status: | RESOLVED FIXED | ||
Severity: | enhancement | ||
Priority: | P2 | ||
Version: | unspecified | ||
Target Milestone: | default | ||
Hardware: | All | ||
OS: | All | ||
Attachments: |
Replacement for SSIServlet.java SSIProcessor.java SSIFilter.java
Patch to disable exec by default, new allowExec tag |
Description
Yair Lenga
2010-03-22 16:37:48 UTC
Patches for enhancements are always welcome Created attachment 25166 [details]
Replacement for SSIServlet.java SSIProcessor.java SSIFilter.java
Attached is a quick fix that adds 'allowExec' parameter to the SSI servlet and filter. I could not build the complete Tomcat tree - I'll be happy to test any patched version with this (or similar change).
Overall < 50 lines of changes.
Basic logic: remove the exec command from the SSIProcessor, unless the allow_exec is true.
Will you take a patch for Tomcat 5.5 ? I'm using RedHat5, which has a Tomcat 5.5 bundled in. It's much easier to get a security upgrade installed, than to get a new version upgrade. *** Bug 49520 has been marked as a duplicate of this bug. *** (In reply to comment #4) > *** Bug 49520 has been marked as a duplicate of this bug. *** Mark, Is there anything I can do to speed up the inclusion of this change ? I've noticed it did not make it for 6.0.28, where few other CGI/SSI related changed were incorporated. I would love to use the SSI, but I can not use it because of the security reisk of the "unsafe" include/exec. Providing patches in diff -u format would help. Created attachment 25760 [details]
Patch to disable exec by default, new allowExec tag
Patch for three files, created against 6.0.26-src
The diff is inverted and the patch is using tabs rather than spaces. I should eb able to work with that but you might need to fix it. In the end I used the patch a guide and write a new one. Some additional comments: - if you do an svn diff against a normal source tree patches usually apply cleanly - new features should be documented The patch has been applied to truck and proposed for 6.0.x Mark, Thanks for taking the change. I'll follow you suggestions regarding svn diff for the next time. Do I have to submit anything for the change to flow to 7.X ? Yair Sorry truck should have been trunk and trunk == 7.0.x so it is already there. Fixed in 6.0.x and will be included in 6.0.29 onwards. |