ssi-howto.xml

markt Tue, 13 Jul 2010 14:36:38 -0700

Author: markt
Date: Tue Jul 13 21:35:39 2010
New Revision: 963868

URL: http://svn.apache.org/viewvc?rev=963868&view=rev
Log:
Fix https://issues.apache.org/bugzilla/show_bug.cgi?id=48960
Disable exec by default in SSI and provide an option to enable it for both  
Servlet and Filter


Modified:
    tomcat/trunk/conf/web.xml
    tomcat/trunk/java/org/apache/catalina/ssi/SSIFilter.java
    tomcat/trunk/java/org/apache/catalina/ssi/SSIProcessor.java
    tomcat/trunk/java/org/apache/catalina/ssi/SSIServlet.java
    tomcat/trunk/webapps/docs/changelog.xml
    tomcat/trunk/webapps/docs/ssi-howto.xml

Modified: tomcat/trunk/conf/web.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/conf/web.xml?rev=963868&r1=963867&r2=963868&view=diff
==============================================================================
--- tomcat/trunk/conf/web.xml (original)
+++ tomcat/trunk/conf/web.xml Tue Jul 13 21:35:39 2010
@@ -267,6 +267,8 @@
   <!--                                                                      -->
   <!--   outputEncoding      The encoding to use for the page that results  -->
   <!--                       from the SSI processing. [UTF-8]               -->
+  <!--                                                                      -->
+  <!--   allowExec           Is use of the exec command enabled? [false]    -->
 
 <!--
     <servlet>
@@ -415,6 +417,8 @@
   <!--                       Should "virtual" paths be interpreted as       -->
   <!--                       relative to the context root, instead of       -->
   <!--                       the server root?  (0=false, 1=true) [0]        -->
+  <!--                                                                      -->
+  <!--   allowExec           Is use of the exec command enabled? [false]    -->
 
 <!--
     <filter>

Modified: tomcat/trunk/java/org/apache/catalina/ssi/SSIFilter.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ssi/SSIFilter.java?rev=963868&r1=963867&r2=963868&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/ssi/SSIFilter.java (original)
+++ tomcat/trunk/java/org/apache/catalina/ssi/SSIFilter.java Tue Jul 13 
21:35:39 2010
@@ -59,6 +59,8 @@ public class SSIFilter implements Filter
        /** default pattern for ssi filter content type matching */
        protected Pattern shtmlRegEx =
         Pattern.compile("text/x-server-parsed-html(;.*)?");
+       /** Allow exec (normally blocked for security) */
+       protected boolean allowExec = false;
 
 
     //----------------- Public methods.
@@ -87,6 +89,8 @@ public class SSIFilter implements Filter
         if (config.getInitParameter("expires") != null)
             expires = Long.valueOf(config.getInitParameter("expires"));
 
+        allowExec = Boolean.parseBoolean(config.getInitParameter("allowExec"));
+
         if (debug > 0)
             config.getServletContext().log(
                     "SSIFilter.init() SSI invoker started with 'debug'=" + 
debug);
@@ -125,7 +129,7 @@ public class SSIFilter implements Filter
                 new SSIServletExternalResolver(config.getServletContext(), req,
                         res, isVirtualWebappRelative, debug, encoding);
             SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
-                    debug);
+                    debug, allowExec);
             
             // prepare readers/writers
             Reader reader =

Modified: tomcat/trunk/java/org/apache/catalina/ssi/SSIProcessor.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ssi/SSIProcessor.java?rev=963868&r1=963867&r2=963868&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/ssi/SSIProcessor.java (original)
+++ tomcat/trunk/java/org/apache/catalina/ssi/SSIProcessor.java Tue Jul 13 
21:35:39 2010
@@ -44,11 +44,14 @@ public class SSIProcessor {
     protected HashMap<String,SSICommand> commands =
         new HashMap<String,SSICommand>();
     protected int debug;
+    protected final boolean allowExec;
 
 
-    public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug) {
+    public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug,
+            boolean allowExec) {
         this.ssiExternalResolver = ssiExternalResolver;
         this.debug = debug;
+        this.allowExec = allowExec;
         addBuiltinCommands();
     }
 
@@ -56,7 +59,9 @@ public class SSIProcessor {
     protected void addBuiltinCommands() {
         addCommand("config", new SSIConfig());
         addCommand("echo", new SSIEcho());
-        addCommand("exec", new SSIExec());
+        if (allowExec) {
+            addCommand("exec", new SSIExec());
+        }
         addCommand("include", new SSIInclude());
         addCommand("flastmod", new SSIFlastmod());
         addCommand("fsize", new SSIFsize());

Modified: tomcat/trunk/java/org/apache/catalina/ssi/SSIServlet.java
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/java/org/apache/catalina/ssi/SSIServlet.java?rev=963868&r1=963867&r2=963868&view=diff
==============================================================================
--- tomcat/trunk/java/org/apache/catalina/ssi/SSIServlet.java (original)
+++ tomcat/trunk/java/org/apache/catalina/ssi/SSIServlet.java Tue Jul 13 
21:35:39 2010
@@ -56,6 +56,8 @@ public class SSIServlet extends HttpServ
     protected String inputEncoding = null;
     /** Output encoding. If not specified, uses platform default */
     protected String outputEncoding = "UTF-8";
+    /** Allow exec (normally blocked for security) */
+    protected boolean allowExec = false;
 
 
     //----------------- Public methods.
@@ -84,6 +86,9 @@ public class SSIServlet extends HttpServ
         if (getServletConfig().getInitParameter("outputEncoding") != null)
             outputEncoding = 
getServletConfig().getInitParameter("outputEncoding");
         
+        allowExec = Boolean.parseBoolean(
+                getServletConfig().getInitParameter("allowExec"));
+
         if (debug > 0)
             log("SSIServlet.init() SSI invoker started with 'debug'=" + debug);
 
@@ -181,7 +186,7 @@ public class SSIServlet extends HttpServ
             new SSIServletExternalResolver(getServletContext(), req, res,
                     isVirtualWebappRelative, debug, inputEncoding);
         SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
-                debug);
+                debug, allowExec);
         PrintWriter printWriter = null;
         StringWriter stringWriter = null;
         if (buffered) {

Modified: tomcat/trunk/webapps/docs/changelog.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/changelog.xml?rev=963868&r1=963867&r2=963868&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/changelog.xml (original)
+++ tomcat/trunk/webapps/docs/changelog.xml Tue Jul 13 21:35:39 2010
@@ -60,6 +60,11 @@
         <bug>48297</bug>: Correctly initialise handler chain for web services
         resources. (markt)
       </fix>
+      <add>
+        <bug>48960</bug>: Add a new option to the SSI Servlet and SSI Filter to
+        allow the disabling of the <code>exec</code> command. This is now
+        disabled by default. Based on a patch by Yair Lenga. (markt)
+      </add>
       <fix>
         <bug>49030</bug>: When initializing/starting/stopping connectors and
         one of them fails, do not ignore the others. (markt/kkolinko)

Modified: tomcat/trunk/webapps/docs/ssi-howto.xml
URL: 
http://svn.apache.org/viewvc/tomcat/trunk/webapps/docs/ssi-howto.xml?rev=963868&r1=963867&r2=963868&view=diff
==============================================================================
--- tomcat/trunk/webapps/docs/ssi-howto.xml (original)
+++ tomcat/trunk/webapps/docs/ssi-howto.xml Tue Jul 13 21:35:39 2010
@@ -105,6 +105,8 @@ resources if one cannot be determined fr
 the default platform encoding.</li>
 <li><strong>outputEncoding</strong> - The encoding to be used for the result
 of the SSI processing. Default is UTF-8.</li>
+<li><strong>allowExec</strong> - Is the exec command enabled? Default is
+false.</li>
 </ul>
 </p>
 
@@ -128,6 +130,8 @@ evaluated for every request.</li>
 <li><strong>isVirtualWebappRelative</strong> - Should "virtual" SSI directive
 paths be interpreted as relative to the context root, instead of the server
 root? (0=false, 1=true) Default 0 (false).</li>
+<li><strong>allowExec</strong> - Is the exec command enabled? Default is
+false.</li>
 </ul>
 </p>
 



---------------------------------------------------------------------
To unsubscribe, e-mail: [email protected]
For additional commands, e-mail: [email protected]

svn commit: r963868 - in /tomcat/trunk: conf/web.xml java/org/apache/catalina/ssi/SSIFilter.java java/org/apache/catalina/ssi/SSIProcessor.java java/org/apache/catalina/ssi/SSIServlet.java webapps/docs/changelog.xml webapps/docs/ssi-howto.xml

Reply via email to