-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
I recently gave a presentation on locking-down Apache Tomcat[1] and I briefly discussed the "sharp edges" present in Tomcat. Some of them are unnecessarily sharp and may be actually unnecessary. I'm going to make a few proposals to remove functions from Tomcat. Proposal: Remove Server-Side Includes Justification: The SSI module is a remote-code execution (RCE) vulnerability as a feature. My sense is that SSI is a little-used feature. A few years ago, markt[2] asked if anyone was using SSI. The only replies were from other Tomcat devs commenting on what to do with SSI if it's no longer in the main Tomcat distribution; there were no community members who responded saying that SSI was important to them. If the packaging of Tomcat could be tweaked a bit to move the SSI components into a separate JAR file (e.g. move org/apache/catalina/ssi/* to catalina-ssi.jar) and if the SSI components don't rely on any Tomcat specific capabilities or internals, then the cattalina-ssi.jar file could be used between Tomcat versions. For example, a user of Tomcat 10 who still needs SSI could get the SSI module from a distribution of Tomcat 8.5.x or 9.x. - -chris [1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc at [2] https://lists.apache.org/thread.html/969a9d1b6e883a4017907c448292880624c c85eb22c490b241dc9c88@%3Cusers.tomcat.apache.org%3E -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bT78ACgkQHPApP6U8 pFj9cQ/+Os1dBaXqqM3taTbqTzzCyLKCMz5q/66QreuH0ZMcqf/QjTGkxhsegelD 184cnAni2rWyV015yuqHvM/ZPn5BcH5pV31mEdJyGQiFIjvEfmZs37sGEoSOE584 jutsktxcla7UEVMPfYU+YiVCapWRjWHNFusP2J/dP+UFYDg/cZJCoYDlMVjpfhmq UH6i/Sht3fpMfYYRHdgkP/r2wHLOD+qql/K8RNExhokwDZCiATmKA1uTuUHtQWQu rh71myzAqdzsEmLMRSLOnDY17XeG8Pd1W0JmcskdHNkZ/cYECLlMv5iqXLA3FbVM sLSd7PLJW1baFi9kqLTP4C44G8+j2tJAgjxkC+9nxFLB7Fy+abyV38Pt77zJ5NXS lIceS1jUIn4OBWFrMVnAii3slAl8WI0xknBBtJeObhw1uKtmRMJ2YtcefK89R/FR 9ZOAHghcYpkbTE8rO6z7HeyN/M+p972a7Pyr6nOH9XnanYBGuL/eg72/yAZpkofT k8AZe9VZ1SOK2TYBmNjHrzQDnodmvgtW3Q0RWY828CrOZ0x9vlQniKc/RWVa0HOR nv6l54oGGNoOezNnMKPRgOyUpzCtLCRkxMUVFkJJi2Hetf7QDo43MITgNNIz/VW8 NEwTPtG/EUE98HQzl4MnV+I7MTBJK8kwwlIKYwtFFTnCy88QmOQ= =ap4d -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
