This is a duplicate request from the Tomcat 6 (Bug 48960). See proposed solution/discussion: https://issues.apache.org/bugzilla/show_bug.cgi?id=48960 The current configuration of the SSI module is "All" or "None". The "ALL" option will expose all the legacy Apache SSI directive (echo, printenv, if, exec, ...). As documented, allowing SSI will allow execution of arbitrary programs using the "exec". As a result, there is no safe way to expose sites/projects containing SSI directive, without taking a security risk, or reviewing of every file. The "exec" directive, with the cmd option is a major risk. Even for Apache, you have the option to allowing the "safe" include (includeNoExec). The includeNoExec allow pages to be served, even when the content is not reviewed, or when users are allowed to upload content to the site. I have a big site which need to be converted into JSP. I would like to use the SSI servlet to allow for transition over time. The extra risk from ( from exec cmd) make it impossible to deploy the SSI. My request: Modify the configuration of SSI as follow: By default, it will only allow "safe" directive (no exec cmd=...). This will eliminate the risk from arbitrary execution of commands ("del *.*"). It will also remove many potentail load problems. The cmd= should only be allowed using a directive like "allowUnsafeExec", which will default to false. I think that the change will make it easier to use the SSI feature, without exposing the server to big risk. The risk associated with the "safer" version of SSI is similar to the risk from running JSP pages. A better alternative is to eliminate the "exec cmd=" option alltogether.
We don't create issues for each version. Any issue reported against major version X, will get fixed (if applicable) in all major versions >= X. It may also, depending on the severity of the issue, get fixed in major versions < X as well. *** This bug has been marked as a duplicate of bug 48960 ***