Bug 49520 - SSI Servlet should support safe configuration
Summary: SSI Servlet should support safe configuration
Status: RESOLVED DUPLICATE of bug 48960
Alias: None
Product: Tomcat 7
Classification: Unclassified
Component: Catalina (show other bugs)
Version: unspecified
Hardware: All All
: P2 major (vote)
Target Milestone: ---
Assignee: Tomcat Developers Mailing List
Depends on:
Reported: 2010-06-29 09:50 UTC by Yair Lenga
Modified: 2010-06-29 12:45 UTC (History)
0 users


Note You need to log in before you can comment on or make changes to this bug.
Description Yair Lenga 2010-06-29 09:50:10 UTC
This is a duplicate request from the Tomcat 6 (Bug 48960). See proposed solution/discussion:

The current configuration of the SSI module is "All" or "None". The "ALL"
option will expose all the legacy Apache SSI directive (echo, printenv, if,
exec, ...). As documented, allowing SSI will allow execution of arbitrary
programs using the "exec". As a result, there is no safe way to expose
sites/projects containing SSI directive, without taking a security risk, or
reviewing of every file.

The "exec" directive, with the cmd option is a major risk. Even for Apache, you
have the option to allowing the "safe" include (includeNoExec). The
includeNoExec allow pages to be served, even when the content is not reviewed,
or when users are allowed to upload content to the site.

I have a big site which need to be converted into JSP. I would like to use the
SSI servlet to allow for transition over time. The extra risk from ( from exec
cmd) make it impossible to deploy the SSI.

My request: Modify the configuration of SSI as follow: By default, it will only
allow "safe" directive (no exec cmd=...). This will eliminate the risk from
arbitrary execution of commands ("del *.*"). It will also remove many potentail
load problems. The cmd= should only be allowed using a directive like
"allowUnsafeExec", which will default to false.

I think that the change will make it easier to use the SSI feature, without
exposing the server to big risk. The risk associated with the "safer" version
of SSI is similar to the risk from running JSP pages.

A better alternative is to eliminate the "exec cmd=" option alltogether.
Comment 1 Mark Thomas 2010-06-29 12:45:54 UTC
We don't create issues for each version. Any issue reported against major version X, will get fixed (if applicable) in all major versions >= X. It may also, depending on the severity of the issue, get fixed in major versions < X as well.

*** This bug has been marked as a duplicate of bug 48960 ***