-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 All,
Note: this was not a vote. There was very little feedback, and responses were mixed. We got exactly one response on the users@ list about real-world usage of CGI, so we cannot draw any conclusions about real-world uses. Otherwise, the consensus seems to be that CGIs should stay a part of the main Tomcat distribution, but that perhaps separating it out into a distinct JAR file and/or separate distribution might be advantageous. It appears that the CGIServlet is completely self-contained. It makes use of the following internal(ish) Tomcat APIs: org.apache.catalina.util.IOTools org.apache.juli.logging.Log org.apache.juli.logging.LogFactory org.apache.tomcat.util.compat.JrePlatform org.apache.tomcat.util.res.StringManager All of these could be replaced if necessary to make a standalone, container-agnostic package. It looks like it would be fairly easy to separate-out the CGIServlet into a separate JAR file packaging if there's utility in that. For example, security-conscious environments may want to remove that JAR file entirely from the Tomcat deployment to be absolutely sure that Runtime.exec() isn't available in the deployed Java code (from the container; yet I realize that SSIServlet/SSIFilter has this, too). I'd like to go ahead and move the CGIServlet from the general catalina.jar file into catalina-cgi.jar. That should only require a small change to the build.xml script. Any objections? - -chris On 10/7/19 10:59, Christopher Schultz wrote: > All, > > I recently gave a presentation on locking-down Apache Tomcat[1] and > I briefly discussed the "sharp edges" present in Tomcat. Some of > them are unnecessarily sharp and may be actually unnecessary. I'm > going to make a few proposals to remove functions from Tomcat. > > Proposal: Remove CGI Servlet > > Justification: > > The CGIServlet is another component, like server-side-includes, > which is a remote-code execution (RCE) vulnerability as a feature. > It is very easy to misconfigure. It is arguably not possible to > secure it on Windows[2]. There are better solutions if you want to > run Perl, Python, PHP, or whatever on your server in the form of > the many fine web-server products out there. > > -chris > > > [1] > http://tomcat.apache.org/presentations.html#latest-locking-down-tomc > > at > [2] > https://blogs.msdn.microsoft.com/twistylittlepassagesallalike/2011/04/ 23 > > /everyone-quotes-command-line-arguments-the-wrong-way/ > -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2281sACgkQHPApP6U8 pFjMLw//cR2e2f32IUVK7kbbK2isBhmqd+GB/MhC9/Dt6d7iBPElr1gOid2zegpg BLVzAdzCjUxR1TlzTfOqq7riZwYPui6+URGePsVyNms3c4tM9hWMArqtYRJFnQXt bQCRS7dsS7dyonJTdJzAQFwN+zqjP1We4AORSO1uOjPA8wF7NK4d4mQ1yMaF7Bsj CzGIzvo31iRCix2TUJiok0SrRU9qRQn8IzTU2tUswTEGDR0lTjnSc6XUzvBgYbmx WF8AVLsjYIJKt1zDDAmAckhnio1Vq9jIwp/fHYd16NPy8n5Mfn1IkWmuZ8RGMDXM o0W4/HYRYV+9WWiGF3aUrSbmu2hOwXdbPcYm+hzntWzyHoY5JGVSCXS1HrFIGr4S TZTLzj7sCV+Yl5Na8spie3S5rZ0EsI2BzP7fwmvmBEHAzetFr/tQFYv9t6ibZHUF e06ef39ws7sO8GlII3TEKfMaByY1BMX/jv8RD6qSCrdLPQgwAzInfL3wJLdqykNC 8SkS1h0Oo4Dm4lrBuAnrwo6cCZOVzI5SJz1q3hJja5BnAg1+7920ts4LGS1EbJVu 2mnlgWJg7veMkjGEyZs3W0WKkOZHnuQjY1gZRBDBnBqqRy7OUmWIftVixUK2m6sP IKVnaT0f5bS47gqt4wahhuwLo5+JCEiSTpEVlhNV2ZK5ZwAvSWU= =dNvr -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org