Am 07.10.2019 um 20:01 schrieb Rémy Maucherat:
On Mon, Oct 7, 2019 at 4:46 PM Christopher Schultz <ch...@christopherschultz.net <mailto:ch...@christopherschultz.net>> wrote:

    -----BEGIN PGP SIGNED MESSAGE-----
    Hash: SHA256

    All,

    I recently gave a presentation on locking-down Apache Tomcat[1] and I
    briefly discussed the "sharp edges" present in Tomcat. Some of them
    are unnecessarily sharp and may be actually unnecessary. I'm going to
    make a few proposals to remove functions from Tomcat.

    Proposal: Remove Server-Side Includes

+1

    Justification:

    The SSI module is a remote-code execution (RCE) vulnerability as a
    feature. My sense is that SSI is a little-used feature. A few years
    ago, markt[2] asked if anyone was using SSI. The only replies were
    from other Tomcat devs commenting on what to do with SSI if it's no
    longer in the main Tomcat distribution; there were no community
    members who responded saying that SSI was important to them.

    If the packaging of Tomcat could be tweaked a bit to move the SSI
    components into a separate JAR file (e.g. move
    org/apache/catalina/ssi/* to catalina-ssi.jar) and if the SSI
    components don't rely on any Tomcat specific capabilities or
    internals, then the cattalina-ssi.jar file could be used between
    Tomcat versions. For example, a user of Tomcat 10 who still needs SSI
    could get the SSI module from a distribution of Tomcat 8.5.x or 9.x.


Yes, basically I think we should remove both CGI and SSI, *but* actually keep them in a separate JAR. For CGI this is harder as it is directly in the servlets package, so it would have to be moved to servlets.cgi for Tomcat 10.

+1

Regards,

Rainer

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to