tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mel Martinez <melaqu...@yahoo.com>
Subject Re: CGI support servlet (TC 4) -- feedback wanted
Date Mon, 02 Apr 2001 23:33:35 GMT

--- Bip Thelin <bip@razorfish.com> wrote:
> "Craig R. McClanahan" wrote:
> > 
> > > >
> > > > 2) Addition to default context
> > > >
> > > > Would this CGI servlet be added to the default
> context similar to
> > > > SsiInvokerServlet?
> > >
> > > Yes.
> > >
> > 
> > I would suggest that we do this, but leave it
> commented out.  The reason
> > is that the potential for mischief is *much*
> larger when we are talking
> > about executing outside programs instead of just
> displaying content back
> > to a web browser.  I vote for making the Tomcat
> sysadmin have to enable
> > this feature explicitly if they want it.
> > 
> > Once we implement the #exec functionality in SSI,
> the same argument would
> > apply here -- unless we added a config option to
> disable the #exec by
> > default but left everything else alone.
> 
> +1 on having CGI in web.xml but commented out,
> regarding SSI I suggest
> we add a configure property(like Apaches NoExec)
> that set's whether #exec is
> allowed or not. And if that property is not set it
> defaults to NoExec.
> 
> So for a standard setup SSI would be allowed but
> you'd have to bug your
> Tomcat sysadmin to have the #exec option enabled.
> Sort of like a standard Apache setup.
> 
> 	..bip

+1 on what Bip said.

mel


__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail. 
http://personal.mail.yahoo.com/?.refer=text

Mime
View raw message