tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn Nielsen <gl...@voyager.apg.more.net>
Subject Re: SSI Servlet has big problems
Date Sat, 04 May 2002 03:19:43 GMT
Dan Sandberg wrote:
> 
> >
> >
> >Dan Sandberg wrote:
> >
> >
> >>I'll be done with the SSI rewrite tomorrow.
> >>
> >>I'd like to get the community's advice on a number of issues:
> >>
> >>1-I changed the names of the files from Ssi... to SSI...  This seems to
> >>be more consistent with the naming scheme of other files, and made
> >>things easier for me since I did a gradual rewrite of everything.  This
> >>will make it harder to see what I changed when I submit a diff,
> >>however.  I changed 75% of everything, so I'm not sure this matters.  Is
> >>it ok?
> >>
> >>
> >>
> >
> >Thats fine, please put the SSI servlet code into a sub package in servlet
> >also.  i.e. org.apache.catalina.servlet.ssi.*.
> >
> >
> 
> Write now the servlet (one class) is in: org.apache.catalina.servlets
> While all its supporting classes are in: org.apache.catalina.util.ssi
> 
> I propose moving all the SSI support classes to: org.apache.catalina.ssi
> 
> They don't belong in servlet, since they CAN be used without a servlet (
> for example, in a filter ) and they prob. don't belong in util, since
> they can't be used by anything other than the SSIServlet, and the SSIFilter.
> 
> >>2-What's the story with the SSI jar having the .renametojar extension?
> >> I'm surmising that this is because this class will be loaded under the
> >>system class loader rather than the user servlet class loader, causing
> >>the #exec functionality to be a security risk.  Can't we just have a
> >>directory where we put servlets that should be loaded under the 'safe'
> >>class loader?
> >>
> >>
> >>
> >
> >Yes, this is so SSI can not be used without the admin explicitely enabling
> >it by renaming the jar.  Whether the Runtime.exec() method can be called
> >is dependent upon the catalina.policy, not on what ClassLoader is used.
> >
> >I have proposed a reorganization of the servlets into sub packages in
> >org.apache.catalina.servlets.  In addition moving the jar files for the
> >servlets into a separate directory. /server/servlets for those which require
> >access to privileged internal catalina code, and /shared/servlets for those
> >which do not require access to privileged catalina code.
> >
> Sounds good.  Why is this not a problem with JSP pages then?  How is
> doing an exec in SSI different than doing a Runtime.exec in JSP?
> 

Security!  I do not allow Runtime.exec() to be used in JSP pages on
instances of Tomcat I administer.  That could be a huge security hole.
I use the Java SecurityManager and a strict catalina.policy to prevent it.
I also don't install either the SSI or CGI servlets for security reasons.
Because both of these are a potential security risk they are disabled in
the Tomcat distribution.

Regards,

Glenn

----------------------------------------------------------------------
Glenn Nielsen             glenn@more.net | /* Spelin donut madder    |
MOREnet System Programming               |  * if iz ina coment.      |
Missouri Research and Education Network  |  */                       |
----------------------------------------------------------------------

--
To unsubscribe, e-mail:   <mailto:tomcat-dev-unsubscribe@jakarta.apache.org>
For additional commands, e-mail: <mailto:tomcat-dev-help@jakarta.apache.org>


Mime
View raw message