You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@tomcat.apache.org by bu...@apache.org on 2010/06/29 15:50:13 UTC
DO NOT REPLY [Bug 49520] New: SSI Servlet should support safe
configuration
https://issues.apache.org/bugzilla/show_bug.cgi?id=49520
Summary: SSI Servlet should support safe configuration
Product: Tomcat 7
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: major
Priority: P2
Component: Catalina
AssignedTo: dev@tomcat.apache.org
ReportedBy: yair.lenga@citi.com
This is a duplicate request from the Tomcat 6 (Bug 48960). See proposed
solution/discussion:
https://issues.apache.org/bugzilla/show_bug.cgi?id=48960
The current configuration of the SSI module is "All" or "None". The "ALL"
option will expose all the legacy Apache SSI directive (echo, printenv, if,
exec, ...). As documented, allowing SSI will allow execution of arbitrary
programs using the "exec". As a result, there is no safe way to expose
sites/projects containing SSI directive, without taking a security risk, or
reviewing of every file.
The "exec" directive, with the cmd option is a major risk. Even for Apache, you
have the option to allowing the "safe" include (includeNoExec). The
includeNoExec allow pages to be served, even when the content is not reviewed,
or when users are allowed to upload content to the site.
I have a big site which need to be converted into JSP. I would like to use the
SSI servlet to allow for transition over time. The extra risk from ( from exec
cmd) make it impossible to deploy the SSI.
My request: Modify the configuration of SSI as follow: By default, it will only
allow "safe" directive (no exec cmd=...). This will eliminate the risk from
arbitrary execution of commands ("del *.*"). It will also remove many potentail
load problems. The cmd= should only be allowed using a directive like
"allowUnsafeExec", which will default to false.
I think that the change will make it easier to use the SSI feature, without
exposing the server to big risk. The risk associated with the "safer" version
of SSI is similar to the risk from running JSP pages.
A better alternative is to eliminate the "exec cmd=" option alltogether.
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org
DO NOT REPLY [Bug 49520] SSI Servlet should support safe
configuration
Posted by bu...@apache.org.
https://issues.apache.org/bugzilla/show_bug.cgi?id=49520
Mark Thomas <ma...@apache.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |DUPLICATE
--- Comment #1 from Mark Thomas <ma...@apache.org> 2010-06-29 12:45:54 EDT ---
We don't create issues for each version. Any issue reported against major
version X, will get fixed (if applicable) in all major versions >= X. It may
also, depending on the severity of the issue, get fixed in major versions < X
as well.
*** This bug has been marked as a duplicate of bug 48960 ***
--
Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org