tomcat-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christopher Schultz <ch...@christopherschultz.net>
Subject [PROPOSAL] Tomcat 10: Remove Server-Side Includes (SSI)
Date Mon, 07 Oct 2019 14:46:23 GMT
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

All,

I recently gave a presentation on locking-down Apache Tomcat[1] and I
briefly discussed the "sharp edges" present in Tomcat. Some of them
are unnecessarily sharp and may be actually unnecessary. I'm going to
make a few proposals to remove functions from Tomcat.

Proposal: Remove Server-Side Includes

Justification:

The SSI module is a remote-code execution (RCE) vulnerability as a
feature. My sense is that SSI is a little-used feature. A few years
ago, markt[2] asked if anyone was using SSI. The only replies were
from other Tomcat devs commenting on what to do with SSI if it's no
longer in the main Tomcat distribution; there were no community
members who responded saying that SSI was important to them.

If the packaging of Tomcat could be tweaked a bit to move the SSI
components into a separate JAR file (e.g. move
org/apache/catalina/ssi/* to catalina-ssi.jar) and if the SSI
components don't rely on any Tomcat specific capabilities or
internals, then the cattalina-ssi.jar file could be used between
Tomcat versions. For example, a user of Tomcat 10 who still needs SSI
could get the SSI module from a distribution of Tomcat 8.5.x or 9.x.

- -chris


[1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc
at
[2]
https://lists.apache.org/thread.html/969a9d1b6e883a4017907c448292880624c
c85eb22c490b241dc9c88@%3Cusers.tomcat.apache.org%3E
-----BEGIN PGP SIGNATURE-----
Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/

iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bT78ACgkQHPApP6U8
pFj9cQ/+Os1dBaXqqM3taTbqTzzCyLKCMz5q/66QreuH0ZMcqf/QjTGkxhsegelD
184cnAni2rWyV015yuqHvM/ZPn5BcH5pV31mEdJyGQiFIjvEfmZs37sGEoSOE584
jutsktxcla7UEVMPfYU+YiVCapWRjWHNFusP2J/dP+UFYDg/cZJCoYDlMVjpfhmq
UH6i/Sht3fpMfYYRHdgkP/r2wHLOD+qql/K8RNExhokwDZCiATmKA1uTuUHtQWQu
rh71myzAqdzsEmLMRSLOnDY17XeG8Pd1W0JmcskdHNkZ/cYECLlMv5iqXLA3FbVM
sLSd7PLJW1baFi9kqLTP4C44G8+j2tJAgjxkC+9nxFLB7Fy+abyV38Pt77zJ5NXS
lIceS1jUIn4OBWFrMVnAii3slAl8WI0xknBBtJeObhw1uKtmRMJ2YtcefK89R/FR
9ZOAHghcYpkbTE8rO6z7HeyN/M+p972a7Pyr6nOH9XnanYBGuL/eg72/yAZpkofT
k8AZe9VZ1SOK2TYBmNjHrzQDnodmvgtW3Q0RWY828CrOZ0x9vlQniKc/RWVa0HOR
nv6l54oGGNoOezNnMKPRgOyUpzCtLCRkxMUVFkJJi2Hetf7QDo43MITgNNIz/VW8
NEwTPtG/EUE98HQzl4MnV+I7MTBJK8kwwlIKYwtFFTnCy88QmOQ=
=ap4d
-----END PGP SIGNATURE-----

---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@tomcat.apache.org
For additional commands, e-mail: dev-help@tomcat.apache.org


Mime
View raw message