-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Coty,
On 10/7/19 11:02, Coty Sutherland wrote: > On Mon, Oct 7, 2019 at 11:00 AM Christopher Schultz > <ch...@christopherschultz.net > <mailto:ch...@christopherschultz.net>> wrote: > > All, > > I recently gave a presentation on locking-down Apache Tomcat[1] and > I briefly discussed the "sharp edges" present in Tomcat. Some of > them are unnecessarily sharp and may be actually unnecessary. I'm > going to make a few proposals to remove functions from Tomcat. > > Proposal: Remove CGI Servlet > > >> +1 > > > > Justification: > > The CGIServlet is another component, like server-side-includes, > which is a remote-code execution (RCE) vulnerability as a feature. > It is very easy to misconfigure. It is arguably not possible to > secure it on Windows[2]. There are better solutions if you want to > run Perl, Python, PHP, or whatever on your server in the form of > the many fine web-server products out there. > > >> I thought this was a really weird feature for Tomcat to provide >> anyway :) I think there was a lot of "me-too-ism" happening back in the day. I get it: why use two separate servers when one will do the trick? - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bVfwACgkQHPApP6U8 pFjA/RAAyW7nluFxfWFmQAKazbpGwjgBIM8LCxrVtWfVDzaXpEWdkP259P9HdO+m TmFAOFYzlw4pstR73AhcQk/pLxF8mWYzU0Fi+uaPCDEDJ3OsJjKuGNRu3o51OMjF j7+666hxS3VmfkiFqejhPClaFB3QPHzA0YopMdjPGyAJJ7eQExXZXdUVbSQeh+v3 1Ka/57Sm0wdRRHpdd2N22jh3NDKR/laC8gnqzbnr5WealN+Yeb9ECIg6c6ooD2cy fo5SGAsllzMWdNWtckAPZ+Op7S96mdro6Komyp5VNgOLGd4kILA4e3KfbVyYBBAj HEyY5st6BHIhqtbjRou+/9e0Z94sZU7Wa7JSDo/tdc9bWeoBYSfewTRDBKp7yREV tHsHOMDAW88MveP6Eu/daxV+ZUhY/s6u/UHnfHsgYcdvnDHj7IFki80qRZpH7h19 LjHX6h1EnS79p8+lszY7bA/XFfOw+f4T5VjnvyAr/ospU9GVdE7SnUEI2lzejn1/ PUoTlWEhTH4BJ5+l5BtKxXriuyckfULSDLKckIoMyGe6+JrXHEbfc40aO6hsnZVq 2jYvTydaHPGOaINZahrs1m9eGa6upduHVo0rtwN1eBLDa339o072jKG1yP81xYUN xql1LOjEqhcsUtxUfvZr/uDYOxivuqGJwfsHzNv+1XUGeY334to= =2JSs -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
