> All, > > I recently gave a presentation on locking-down Apache Tomcat[1] and I > briefly discussed the "sharp edges" present in Tomcat. Some of them > are unnecessarily sharp and may be actually unnecessary. I'm going to > make a few proposals to remove functions from Tomcat. > > Proposal: Remove CGI Servlet
-1. Not a veto, just a -1. > Justification: > > The CGIServlet is another component, like server-side-includes, which > is a remote-code execution (RCE) vulnerability as a feature. It is > very easy to misconfigure. It is arguably not possible to secure it on > Windows[2]. I disagree. That is an edge case. > There are better solutions if you want to run Perl, > Python, PHP, or whatever on your server in the form of the many fine > web-server products out there. Yes, but that isn't the only use of CGI. It is essentially, a fairly easy way to integrate any executable into a web application. My sense that this use remains sufficiently widespread that we should not discontinue it. Maybe a topic for discussion on users@ ? Mark --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org