https://bz.apache.org/bugzilla/show_bug.cgi?id=61489

            Bug ID: 61489
           Summary: Disable creation of command line parameters from GET
                    parameters in the URL
           Product: Tomcat 9
           Version: unspecified
          Hardware: All
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P2
         Component: Catalina
          Assignee: dev@tomcat.apache.org
          Reporter: jan0mich...@yahoo.com
  Target Milestone: -----

Created attachment 35290
  --> https://bz.apache.org/bugzilla/attachment.cgi?id=35290&action=edit
Make creation of command line parameters from GET parameters optional

The CGI RFC says, that the server SHOULD create command line arguments from
certain GET parameters.

https://tools.ietf.org/html/rfc3875#section-4.4
4.4.  The Script Command Line


I don't like this, because I think, this can be a security risk in certain
cases.
I suggest to disable this feature by default, or at least allow to disable it
by configuration.

The proposed patch makes this feature configurable.
The line

private boolean enableCmdLineArguments = false;

makes the feature disabled by default. Putting "= true" would make it enabled
by default.

-- 
You are receiving this mail because:
You are the assignee for the bug.
---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org
For additional commands, e-mail: dev-h...@tomcat.apache.org

Reply via email to