Hello, I'm currently looking into the security issues pertaining to enabling this by default. I followed the conversation for why it is the way it is, but now that I'm actually in the guts of the thing, I don't think I fully understand.
The issue as I remember it is that the SsiExec class in servlets-ssi.jar could be exploited even if SSI support wasn't enabled in the web.xml file. The part I'm fuzzy on is how this can be true. Since servlets-ssi.jar is loaded into the server class loader (server/lib) it seems to me that it would be impossible for a rogue webapp to access any classes in this jar. In any case, my solution should protect from these kinds of attacks also, I'm just not sure they're possible. I'll be submitting a patch shortly that should allow SSI support to be enabled by default but would require a specific configuration change to get the "exec" directive to work. -Paul Speed P.S.: I'd be curious to know of anyone actually using the "exec" directive. Looking at the code, I'm not sure I see how it works for non-CGI stuff. -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>
