tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Speed <>
Subject servlets-ssi.renametojar
Date Thu, 29 Nov 2001 07:57:31 GMT

I'm currently looking into the security issues pertaining to enabling
this by default.  I followed the conversation for why it is the way
it is, but now that I'm actually in the guts of the thing, I don't
think I fully understand.

The issue as I remember it is that the SsiExec class in servlets-ssi.jar 
could be exploited even if SSI support wasn't enabled in the web.xml 
file.  The part I'm fuzzy on is how this can be true.

Since servlets-ssi.jar is loaded into the server class loader
(server/lib) it seems to me that it would be impossible for a rogue
webapp to access any classes in this jar.

In any case, my solution should protect from these kinds of attacks
also, I'm just not sure they're possible.

I'll be submitting a patch shortly that should allow SSI support to
be enabled by default but would require a specific configuration
change to get the "exec" directive to work.

-Paul Speed

P.S.: I'd be curious to know of anyone actually using the "exec"
directive.  Looking at the code, I'm not sure I see how it works
for non-CGI stuff.

To unsubscribe, e-mail:   <>
For additional commands, e-mail: <>

View raw message