You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by ma...@apache.org on 2010/07/16 12:23:05 UTC
svn commit: r964732 - in /tomcat/tc6.0.x/trunk: ./ conf/
java/org/apache/catalina/ssi/ webapps/docs/
Author: markt
Date: Fri Jul 16 10:23:04 2010
New Revision: 964732
URL: http://svn.apache.org/viewvc?rev=964732&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48960
Disable exec in SSI by default and provide new option to enable it
Modified:
tomcat/tc6.0.x/trunk/ (props changed)
tomcat/tc6.0.x/trunk/STATUS.txt
tomcat/tc6.0.x/trunk/conf/web.xml
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIFilter.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIProcessor.java
tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIServlet.java
tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
tomcat/tc6.0.x/trunk/webapps/docs/ssi-howto.xml
Propchange: tomcat/tc6.0.x/trunk/
------------------------------------------------------------------------------
--- svn:mergeinfo (original)
+++ svn:mergeinfo Fri Jul 16 10:23:04 2010
@@ -1 +1 @@
-/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701
+/tomcat/trunk:601180,606992,612607,630314,640888,652744,653247,666232,673796,673820,677910,683969,683982,684001,684081,684234,684269-684270,685177,687503,687645,689402,690781,691392,691805,692748,693378,694992,695053,695311,696780,696782,698012,698227,698236,698613,699427,699634,701355,709294,709811,709816,710063,710066,710125,710205,711126,711600,712461,712467,713953,714002,718360,719119,719124,719602,719626,719628,720046,720069,721040,721286,721708,721886,723404,723738,726052,727303,728032,728768,728947,729057,729567,729569,729571,729681,729809,729815,729934,730250,730590,731651,732859,732863,734734,740675,740684,742677,742697,742714,744160,744238,746321,746384,746425,747834,747863,748344,750258,750291,750921,751286-751287,751289,751295,752323,753039,757335,757774,758249,758365,758596,758616,758664,759074,761601,762868,762929,762936-762937,763166,763183,763193,763228,763262,763298,763302,763325,763599,763611,763654,763681,763706,764985,764997,765662,768335,769979,770716,77
0809,770876,772872,776921,776924,776935,776945,777464,777466,777576,777625,778379,778523-778524,781528,781779,782145,782791,783316,783696,783724,783756,783762,783766,783863,783934,784453,784602,784614,785381,785688,785768,785859,786468,786487,786490,786496,786667,787627,787770,787985,789389,790405,791041,791184,791194,791224,791243,791326,791328,791789,792740,793372,793757,793882,793981,794082,794673,794822,795043,795152,795210,795457,795466,797168,797425,797596,797607,802727,802940,804462,804544,804734,805153,809131,809603,810916,810977,812125,812137,812432,813001,813013,813866,814180,814708,814876,815972,816252,817442,817822,819339,819361,820110,820132,820874,820954,821397,828196,828201,828210,828225,828759,830378-830379,830999,831106,831774,831785,831828,831850,831860,832214,832218,833121,833545,834047,835036,835336,836405,881396,881412,883130,883134,883146,883165,883177,883362,883565,884341,885038,885231,885241,885260,885901,885991,886019,888072,889363,889606,889716,8901
39,890265,890349-890350,890417,891185-891187,891583,892198,892341,892415,892464,892555,892812,892814,892817,892843,892887,893321,893493,894580,894586,894805,894831,895013,895045,895057,895191,895392,895703,896370,896384,897380-897381,897776,898126,898256,898468,898527,898555,898558,898718,898836,898906,899284,899348,899420,899653,899769-899770,899783,899788,899792,899916,899918-899919,899935,899949,903916,905020,905151,905722,905728,905735,907311,907513,907538,907652,907819,907825,907864,908002,908721,908754,908759,909097,909206,909212,909525,909636,909869,909875,909887,910266,910370,910442,910471,910485,910974,915226,915737,915861,916097,916141,916157,916170,917598,917633,918093,918489,918594,918684,918787,918792,918799,918803,918885,919851,919914,920025,920055,920298,920449,920596,920824,920840,921444,922010,926716,927062,927621,928482,928695,928732,928798,931709,932357,932967,935105,935983,939491,939551,940064,941356,941463,944409,944416,945231,945808,945835,945841,946686
,948057,950164,950596,950614,950851,950905,951615,953434,954435,955648,955655,956832,957130,957830,958192,960701,963868
Modified: tomcat/tc6.0.x/trunk/STATUS.txt
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/STATUS.txt?rev=964732&r1=964731&r2=964732&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/STATUS.txt (original)
+++ tomcat/tc6.0.x/trunk/STATUS.txt Fri Jul 16 10:23:04 2010
@@ -171,12 +171,6 @@ PATCHES PROPOSED TO BACKPORT:
+1: markt, kkolinko
-1:
-* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48960
- Disable exec in SSI by default and provide new option to enable it
- http://svn.apache.org/viewvc?rev=963868&view=rev
- +1: markt, kkolinko, kfujino
- -1:
-
* Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=49598
When updating the session cookie, correctly replace the Set-Cookie header
This was a regression in 6.0.28 in the fix for
Modified: tomcat/tc6.0.x/trunk/conf/web.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/conf/web.xml?rev=964732&r1=964731&r2=964732&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/conf/web.xml (original)
+++ tomcat/tc6.0.x/trunk/conf/web.xml Fri Jul 16 10:23:04 2010
@@ -292,6 +292,8 @@
<!-- -->
<!-- outputEncoding The encoding to use for the page that results -->
<!-- from the SSI processing. [UTF-8] -->
+ <!-- -->
+ <!-- allowExec Is use of the exec command enabled? [false] -->
<!--
<servlet>
@@ -448,6 +450,8 @@
<!-- Should "virtual" paths be interpreted as -->
<!-- relative to the context root, instead of -->
<!-- the server root? (0=false, 1=true) [0] -->
+ <!-- -->
+ <!-- allowExec Is use of the exec command enabled? [false] -->
<!--
<filter>
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIFilter.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIFilter.java?rev=964732&r1=964731&r2=964732&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIFilter.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIFilter.java Fri Jul 16 10:23:04 2010
@@ -59,6 +59,8 @@ public class SSIFilter implements Filter
/** default pattern for ssi filter content type matching */
protected Pattern shtmlRegEx =
Pattern.compile("text/x-server-parsed-html(;.*)?");
+ /** Allow exec (normally blocked for security) */
+ protected boolean allowExec = false;
//----------------- Public methods.
@@ -87,6 +89,8 @@ public class SSIFilter implements Filter
if (config.getInitParameter("expires") != null)
expires = Long.valueOf(config.getInitParameter("expires"));
+ allowExec = Boolean.parseBoolean(config.getInitParameter("allowExec"));
+
if (debug > 0)
config.getServletContext().log(
"SSIFilter.init() SSI invoker started with 'debug'=" + debug);
@@ -125,7 +129,7 @@ public class SSIFilter implements Filter
new SSIServletExternalResolver(config.getServletContext(), req,
res, isVirtualWebappRelative, debug, encoding);
SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
- debug);
+ debug, allowExec);
// prepare readers/writers
Reader reader =
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIProcessor.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIProcessor.java?rev=964732&r1=964731&r2=964732&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIProcessor.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIProcessor.java Fri Jul 16 10:23:04 2010
@@ -42,11 +42,14 @@ public class SSIProcessor {
protected SSIExternalResolver ssiExternalResolver;
protected HashMap commands = new HashMap();
protected int debug;
+ protected final boolean allowExec;
- public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug) {
+ public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug,
+ boolean allowExec) {
this.ssiExternalResolver = ssiExternalResolver;
this.debug = debug;
+ this.allowExec = allowExec;
addBuiltinCommands();
}
@@ -54,7 +57,9 @@ public class SSIProcessor {
protected void addBuiltinCommands() {
addCommand("config", new SSIConfig());
addCommand("echo", new SSIEcho());
- addCommand("exec", new SSIExec());
+ if (allowExec) {
+ addCommand("exec", new SSIExec());
+ }
addCommand("include", new SSIInclude());
addCommand("flastmod", new SSIFlastmod());
addCommand("fsize", new SSIFsize());
Modified: tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIServlet.java
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIServlet.java?rev=964732&r1=964731&r2=964732&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIServlet.java (original)
+++ tomcat/tc6.0.x/trunk/java/org/apache/catalina/ssi/SSIServlet.java Fri Jul 16 10:23:04 2010
@@ -54,6 +54,8 @@ public class SSIServlet extends HttpServ
protected String inputEncoding = null;
/** Output encoding. If not specified, uses platform default */
protected String outputEncoding = "UTF-8";
+ /** Allow exec (normally blocked for security) */
+ protected boolean allowExec = false;
//----------------- Public methods.
@@ -81,6 +83,9 @@ public class SSIServlet extends HttpServ
if (getServletConfig().getInitParameter("outputEncoding") != null)
outputEncoding = getServletConfig().getInitParameter("outputEncoding");
+ allowExec = Boolean.parseBoolean(
+ getServletConfig().getInitParameter("allowExec"));
+
if (debug > 0)
log("SSIServlet.init() SSI invoker started with 'debug'=" + debug);
@@ -176,7 +181,7 @@ public class SSIServlet extends HttpServ
new SSIServletExternalResolver(getServletContext(), req, res,
isVirtualWebappRelative, debug, inputEncoding);
SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
- debug);
+ debug, allowExec);
PrintWriter printWriter = null;
StringWriter stringWriter = null;
if (buffered) {
Modified: tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml?rev=964732&r1=964731&r2=964732&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/changelog.xml Fri Jul 16 10:23:04 2010
@@ -42,6 +42,11 @@
<section name="Tomcat 6.0.29 (jfclere)">
<subsection name="Catalina">
<changelog>
+ <add>
+ <bug>48960</bug>: Add a new option to the SSI Servlet and SSI Filter to
+ allow the disabling of the <code>exec</code> command. This is now
+ disabled by default. Based on a patch by Yair Lenga. (markt)
+ </add>
<fix>
<bug>49551</bug>: Allow default context.xml location to be specified
using an absolute path. (markt)
Modified: tomcat/tc6.0.x/trunk/webapps/docs/ssi-howto.xml
URL: http://svn.apache.org/viewvc/tomcat/tc6.0.x/trunk/webapps/docs/ssi-howto.xml?rev=964732&r1=964731&r2=964732&view=diff
==============================================================================
--- tomcat/tc6.0.x/trunk/webapps/docs/ssi-howto.xml (original)
+++ tomcat/tc6.0.x/trunk/webapps/docs/ssi-howto.xml Fri Jul 16 10:23:04 2010
@@ -105,6 +105,8 @@ resources if one cannot be determined fr
the default platform encoding.</li>
<li><strong>outputEncoding</strong> - The encoding to be used for the result
of the SSI processing. Default is UTF-8.</li>
+<li><strong>allowExec</strong> - Is the exec command enabled? Default is
+false.</li>
</ul>
</p>
@@ -128,6 +130,8 @@ evaluated for every request.</li>
<li><strong>isVirtualWebappRelative</strong> - Should "virtual" SSI directive
paths be interpreted as relative to the context root, instead of the server
root? (0=false, 1=true) Default 0 (false).</li>
+<li><strong>allowExec</strong> - Is the exec command enabled? Default is
+false.</li>
</ul>
</p>
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org