DO NOT REPLY SSI Servlet should support safe configuration

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #4 from Mark Thomas <ma### @apache.org> 2010-06-29
12:45:54 EDT ---
*** Bug 49520 has been marked as a duplicate of this bug. ***

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #9 from Mark Thomas <mar### @apache.org> 2010-07-13
17:38:55 EDT ---
In the end I used the patch a guide and write a new one. Some additional
comments:
- if you do an svn diff against a normal source tree patches usually apply
cleanly
- new features should be documented

The patch has been applied to truck and proposed for 6.0.x

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #5 from Yair Lenga <yair.l### @citi.com> 2010-07-09
10:01:32 EDT ---
(In reply to comment #4)
 *** Bug 49520 has been marked as a duplicate of this bug. ***

Mark,

Is there anything I can do to speed up the inclusion of this change ? I've
noticed it did not make it for 6.0.28, where few other CGI/SSI related
changed
were incorporated. I would love to use the SSI, but I can not use it
because of
the security reisk of the "unsafe" include/exec.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #11 from Mark Thomas <ma### @apache.org> 2010-07-13
18:08:34 EDT ---
Sorry truck should have been trunk and trunk == 7.0.x so it is already
there.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #10 from Yair Lenga <yair.l### @citi.com> 2010-07-13
17:54:53 EDT ---
Mark,

Thanks for taking the change. I'll follow you suggestions regarding svn
diff
for the next time.

Do I have to submit anything for the change to flow to 7.X ?

Yair

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #6 from Mark Thomas <mar### @apache.org> 2010-07-09
10:17:16 EDT ---
Providing patches in diff -u format would help.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #8 from Mark Thomas <mar### @apache.org> 2010-07-13
17:16:40 EDT ---
The diff is inverted and the patch is using tabs rather than spaces. I
should
eb able to work with that but you might need to fix it.

https://issues.apache.org/bugzilla/show_bug.cgi?id=49520

           Summary: SSI Servlet should support safe configuration
           Product: Tomcat 7
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: major
          Priority: P2
         Component: Catalina
        AssignedTo: de### @tomcat.apache.org
        ReportedBy: yair.### @citi.com


This is a duplicate request from the Tomcat 6 (Bug 48960). See proposed
solution/discussion:
https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

The current configuration of the SSI module is "All" or "None". The "ALL"
option will expose all the legacy Apache SSI directive (echo, printenv,
if,
exec, ...). As documented, allowing SSI will allow execution of arbitrary
programs using the "exec". As a result, there is no safe way to expose
sites/projects containing SSI directive, without taking a security risk,
or
reviewing of every file.

The "exec" directive, with the cmd option is a major risk. Even for
Apache, you
have the option to allowing the "safe" include (includeNoExec). The
includeNoExec allow pages to be served, even when the content is not
reviewed,
or when users are allowed to upload content to the site.

I have a big site which need to be converted into JSP. I would like to use
the
SSI servlet to allow for transition over time. The extra risk from ( from
exec
cmd) make it impossible to deploy the SSI.

My request: Modify the configuration of SSI as follow: By default, it will
only
allow "safe" directive (no exec cmd=...). This will eliminate the risk
from
arbitrary execution of commands ("del *.*"). It will also remove many
potentail
load problems. The cmd= should only be allowed using a directive like
"allowUnsafeExec", which will default to false.

I think that the change will make it easier to use the SSI feature,
without
exposing the server to big risk. The risk associated with the "safer"
version
of SSI is similar to the risk from running JSP pages.

A better alternative is to eliminate the "exec cmd=" option alltogether.

https://issues.apache.org/bugzilla/show_bug.cgi?id=48960

--- Comment #7 from Yair Lenga <yair.### @citi.com> 2010-07-13
15:52:28 EDT ---
Created an attachment (id=25760)
 --> (https://issues.apache.org/bugzilla/attachment.cgi?id=25760)
Patch to disable exec by default, new allowExec tag

Patch for three files, created against 6.0.26-src

https://issues.apache.org/bugzilla/show_bug.cgi?id=48379

Mark Thomas <ma### @apache.org> changed:

           What    |Removed                     |Added

https://issues.apache.org/bugzilla/show_bug.cgi?id=48379

davidconnard <david.### @staff.rsvp.com.au> changed:

           What    |Removed                     |Added

https://issues.apache.org/bugzilla/show_bug.cgi?id=48379

Mark Thomas <mar### @apache.org> changed:

           What    |Removed                     |Added

I'm starting to hack on the post servlet to get it to support JCR
versioning. It is actually much simpler than I thought it would be.
Which leads me to believe I'm missing something big :)

Would appreciate any comments/feedback:
http://codereview.appspot.com/1690041

Thanks,
Justin

https://issues.apache.org/bugzilla/show_bug.cgi?id=47378

Mark Thomas <ma### @apache.org> changed:

           What    |Removed                     |Added

Support for Versionable nodes in post servlet

G 3.0-M1 jetty assembly does not support jar resource feature in servlet
3.0

https://issues.apache.org/bugzilla/show_bug.cgi?id=48998

Mark Thomas <mar### @apache.org> changed:

           What    |Removed                     |Added

Author: markt
Date: Tue May 25 14:20:16 2010
New Revision: 948055

URL: http://svn.apache.org/viewvc?rev=948055&view=rev
Log:
Add a test case for
https://issues.apache.org/bugzilla/show_bug.cgi?id=49196
Patch to follow shortly

Added:
    tomcat/trunk/test/javax/
    tomcat/trunk/test/javax/servlet/
    tomcat/trunk/test/javax/servlet/jsp/
    tomcat/trunk/test/javax/servlet/jsp/TestPageContext.java   (with
props)
    tomcat/trunk/test/webapp-3.0/bug49196.jsp   (with props)

Added: tomcat/trunk/test/javax/servlet/jsp/TestPageContext.java
URL:
http://svn.apache.org/viewvc/tomcat/t...055&view=auto

https://issues.apache.org/bugzilla/show_bug.cgi?id=49165

Alexander Shirkov <sgd### @gmail.com> changed:

           What    |Removed                     |Added

https://issues.apache.org/bugzilla/show_bug.cgi?id=49165

--- Comment #5 from Mark Thomas <ma### @apache.org> 2010-07-21
13:47:59 EDT ---
(In reply to comment #4)

Thanks for the patch. I have reviewed it and have the following comments:
1. It uses a mix of tabs and spaces for indenting. Only spaces should be
used.
2. Log messages should use the StringManager to provide i18n support.
3. Setting currentDate in the AccessDateStruct serves no purpose
4. Same for currentDateString
5. DateAndTimeElementVolumeTest can probably be added to the existing
Benchmarks test.

Out of curiosity, if you remove the code that manages the only creating
the
date once a second entirely and use a date format that does not include
millis,
what is the performance like? I'm wondering if we can just remove that
code
entirely.

If you can update the patch, I'll take another look. With the issues above
fixed it should be ready to apply.