On Mon, Oct 7, 2019 at 4:46 PM Christopher Schultz <ch...@christopherschultz.net> wrote: > > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA256 > > All, > > I recently gave a presentation on locking-down Apache Tomcat[1] and I > briefly discussed the "sharp edges" present in Tomcat. Some of them > are unnecessarily sharp and may be actually unnecessary. I'm going to > make a few proposals to remove functions from Tomcat. > > Proposal: Remove Server-Side Includes > > Justification: > > The SSI module is a remote-code execution (RCE) vulnerability as a > feature. My sense is that SSI is a little-used feature. A few years > ago, markt[2] asked if anyone was using SSI. The only replies were > from other Tomcat devs commenting on what to do with SSI if it's no > longer in the main Tomcat distribution; there were no community > members who responded saying that SSI was important to them. > > If the packaging of Tomcat could be tweaked a bit to move the SSI > components into a separate JAR file (e.g. move > org/apache/catalina/ssi/* to catalina-ssi.jar) and if the SSI > components don't rely on any Tomcat specific capabilities or > internals, then the cattalina-ssi.jar file could be used between > Tomcat versions. For example, a user of Tomcat 10 who still needs SSI > could get the SSI module from a distribution of Tomcat 8.5.x or 9.x.
The discussion and proposal we had was to propose removing and see the feedback. If there was some use, keep it as it does not actually pose a security risk unless enabled. Given the feedback, I would now say we should keep it for Tomcat 12. Rémy > > - -chris > > > [1] http://tomcat.apache.org/presentations.html#latest-locking-down-tomc > at > [2] > https://lists.apache.org/thread.html/969a9d1b6e883a4017907c448292880624c > c85eb22c490b241dc9c88@%3Cusers.tomcat.apache.org%3E > -----BEGIN PGP SIGNATURE----- > Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ > > iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bT78ACgkQHPApP6U8 > pFj9cQ/+Os1dBaXqqM3taTbqTzzCyLKCMz5q/66QreuH0ZMcqf/QjTGkxhsegelD > 184cnAni2rWyV015yuqHvM/ZPn5BcH5pV31mEdJyGQiFIjvEfmZs37sGEoSOE584 > jutsktxcla7UEVMPfYU+YiVCapWRjWHNFusP2J/dP+UFYDg/cZJCoYDlMVjpfhmq > UH6i/Sht3fpMfYYRHdgkP/r2wHLOD+qql/K8RNExhokwDZCiATmKA1uTuUHtQWQu > rh71myzAqdzsEmLMRSLOnDY17XeG8Pd1W0JmcskdHNkZ/cYECLlMv5iqXLA3FbVM > sLSd7PLJW1baFi9kqLTP4C44G8+j2tJAgjxkC+9nxFLB7Fy+abyV38Pt77zJ5NXS > lIceS1jUIn4OBWFrMVnAii3slAl8WI0xknBBtJeObhw1uKtmRMJ2YtcefK89R/FR > 9ZOAHghcYpkbTE8rO6z7HeyN/M+p972a7Pyr6nOH9XnanYBGuL/eg72/yAZpkofT > k8AZe9VZ1SOK2TYBmNjHrzQDnodmvgtW3Q0RWY828CrOZ0x9vlQniKc/RWVa0HOR > nv6l54oGGNoOezNnMKPRgOyUpzCtLCRkxMUVFkJJi2Hetf7QDo43MITgNNIz/VW8 > NEwTPtG/EUE98HQzl4MnV+I7MTBJK8kwwlIKYwtFFTnCy88QmOQ= > =ap4d > -----END PGP SIGNATURE----- > > --------------------------------------------------------------------- > To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org > For additional commands, e-mail: dev-h...@tomcat.apache.org > --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
