On Mon, Oct 7, 2019 at 4:46 PM Christopher Schultz < ch...@christopherschultz.net> wrote:
> -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I recently gave a presentation on locking-down Apache Tomcat[1] and I > briefly discussed the "sharp edges" present in Tomcat. Some of them > are unnecessarily sharp and may be actually unnecessary. I'm going to > make a few proposals to remove functions from Tomcat. > > Proposal: Remove Server-Side Includes > > Justification: > > The SSI module is a remote-code execution (RCE) vulnerability as a > feature. My sense is that SSI is a little-used feature. A few years > ago, markt[2] asked if anyone was using SSI. The only replies were > from other Tomcat devs commenting on what to do with SSI if it's no > longer in the main Tomcat distribution; there were no community > members who responded saying that SSI was important to them. > > If the packaging of Tomcat could be tweaked a bit to move the SSI > components into a separate JAR file (e.g. move > org/apache/catalina/ssi/* to catalina-ssi.jar) and if the SSI > components don't rely on any Tomcat specific capabilities or > internals, then the cattalina-ssi.jar file could be used between > Tomcat versions. For example, a user of Tomcat 10 who still needs SSI > could get the SSI module from a distribution of Tomcat 8.5.x or 9.x. > Yes, basically I think we should remove both CGI and SSI, *but* actually keep them in a separate JAR. For CGI this is harder as it is directly in the servlets package, so it would have to be moved to servlets.cgi for Tomcat 10. Rémy > > - -chris > > > [1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc > at > [2] > https://lists.apache.org/thread.html/969a9d1b6e883a4017907c448292880624c > c85eb22c490b241dc9c88@%3Cusers.tomcat.apache.org%3E > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bT78ACgkQHPApP6U8 > pFj9cQ/+Os1dBaXqqM3taTbqTzzCyLKCMz5q/66QreuH0ZMcqf/QjTGkxhsegelD > 184cnAni2rWyV015yuqHvM/ZPn5BcH5pV31mEdJyGQiFIjvEfmZs37sGEoSOE584 > jutsktxcla7UEVMPfYU+YiVCapWRjWHNFusP2J/dP+UFYDg/cZJCoYDlMVjpfhmq > UH6i/Sht3fpMfYYRHdgkP/r2wHLOD+qql/K8RNExhokwDZCiATmKA1uTuUHtQWQu > rh71myzAqdzsEmLMRSLOnDY17XeG8Pd1W0JmcskdHNkZ/cYECLlMv5iqXLA3FbVM > sLSd7PLJW1baFi9kqLTP4C44G8+j2tJAgjxkC+9nxFLB7Fy+abyV38Pt77zJ5NXS > lIceS1jUIn4OBWFrMVnAii3slAl8WI0xknBBtJeObhw1uKtmRMJ2YtcefK89R/FR > 9ZOAHghcYpkbTE8rO6z7HeyN/M+p972a7Pyr6nOH9XnanYBGuL/eg72/yAZpkofT > k8AZe9VZ1SOK2TYBmNjHrzQDnodmvgtW3Q0RWY828CrOZ0x9vlQniKc/RWVa0HOR > nv6l54oGGNoOezNnMKPRgOyUpzCtLCRkxMUVFkJJi2Hetf7QDo43MITgNNIz/VW8 > NEwTPtG/EUE98HQzl4MnV+I7MTBJK8kwwlIKYwtFFTnCy88QmOQ= > =ap4d > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > >
