Am 07.10.2019 um 20:01 schrieb Rémy Maucherat:
On Mon, Oct 7, 2019 at 4:46 PM Christopher Schultz
<ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>> wrote:
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256
All,
I recently gave a presentation on locking-down Apache Tomcat[1] and I
briefly discussed the "sharp edges" present in Tomcat. Some of them
are unnecessarily sharp and may be actually unnecessary. I'm going to
make a few proposals to remove functions from Tomcat.
Proposal: Remove Server-Side Includes
+1
Justification:
The SSI module is a remote-code execution (RCE) vulnerability as a
feature. My sense is that SSI is a little-used feature. A few years
ago, markt[2] asked if anyone was using SSI. The only replies were
from other Tomcat devs commenting on what to do with SSI if it's no
longer in the main Tomcat distribution; there were no community
members who responded saying that SSI was important to them.
If the packaging of Tomcat could be tweaked a bit to move the SSI
components into a separate JAR file (e.g. move
org/apache/catalina/ssi/* to catalina-ssi.jar) and if the SSI
components don't rely on any Tomcat specific capabilities or
internals, then the cattalina-ssi.jar file could be used between
Tomcat versions. For example, a user of Tomcat 10 who still needs SSI
could get the SSI module from a distribution of Tomcat 8.5.x or 9.x.
Yes, basically I think we should remove both CGI and SSI, *but* actually
keep them in a separate JAR. For CGI this is harder as it is directly in
the servlets package, so it would have to be moved to servlets.cgi for
Tomcat 10.
+1
Regards,
Rainer
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org
