tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Bip Thelin" <>
Subject RE: DO NOT REPLY [Bug 4361] - SsiServlet potentially leaks files
Date Tue, 23 Oct 2001 23:24:53 GMT
> -----Original Message-----
> From: Paul Speed [] 
> For the curious reader, after looking into this code at some length
> it seems clear why the set command was not added.  All SSI requests
> share the same environment, which not only makes a set command 
> impossible but also means that multiple SSI requests (or even nested
> SSI requests) trample all over each other.  A simple shtml file that
> includes two other shtml files illustrates this quite nicely.

Do you have a smal testcase? We have unittests with Tomcat that have
nested includes and several includes in one page. All Ssi directives
share the same enviroment per page through a mediator, this is due to
the fact that you can have a config directive that changes the error
message that you would get for a failed include further down on the same
page, for instance.

However if pageA includes pageB, if pageB is also an shtml/ssi file it
would have a new fresh enviroment and could not tamper with pageA's

So you could easily do a set command simmilar to the config command.

> Since I'm between assignments at the moment, I'm working on a patch
> here locally.  It's pretty significant, though, so it may take me a 
> few days.  It will include the set command though since that's what
> I'm going to use to test it. :)

Patches and additions are gladly appreciated.

	Bip Thelin

View raw message