tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Bip Thelin <...@razorfish.com>
Subject Re: CGI support servlet (TC 4) -- feedback wanted
Date Mon, 02 Apr 2001 21:44:35 GMT
"Craig R. McClanahan" wrote:
> 
> > >
> > > 2) Addition to default context
> > >
> > > Would this CGI servlet be added to the default context similar to
> > > SsiInvokerServlet?
> >
> > Yes.
> >
> 
> I would suggest that we do this, but leave it commented out.  The reason
> is that the potential for mischief is *much* larger when we are talking
> about executing outside programs instead of just displaying content back
> to a web browser.  I vote for making the Tomcat sysadmin have to enable
> this feature explicitly if they want it.
> 
> Once we implement the #exec functionality in SSI, the same argument would
> apply here -- unless we added a config option to disable the #exec by
> default but left everything else alone.

+1 on having CGI in web.xml but commented out, regarding SSI I suggest
we add a configure property(like Apaches NoExec) that set's whether #exec is
allowed or not. And if that property is not set it defaults to NoExec.

So for a standard setup SSI would be allowed but you'd have to bug your
Tomcat sysadmin to have the #exec option enabled.
Sort of like a standard Apache setup.

	..bip

Mime
View raw message