-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 Mark,
On 10/7/19 11:10, Mark Thomas wrote: >> All, >> >> I recently gave a presentation on locking-down Apache Tomcat[1] >> and I briefly discussed the "sharp edges" present in Tomcat. Some >> of them are unnecessarily sharp and may be actually unnecessary. >> I'm going to make a few proposals to remove functions from >> Tomcat. >> >> Proposal: Remove CGI Servlet > > -1. Not a veto, just a -1. Fair enough. I didn't think I'd get 100% agreement. If anyone feels like this is is something worth keeping around, I'm happy to let the proposal drop. >> Justification: >> >> The CGIServlet is another component, like server-side-includes, >> which is a remote-code execution (RCE) vulnerability as a >> feature. It is very easy to misconfigure. It is arguably not >> possible to secure it on Windows[2]. > > I disagree. That is an edge case. > >> There are better solutions if you want to run Perl, Python, PHP, >> or whatever on your server in the form of the many fine >> web-server products out there. > > Yes, but that isn't the only use of CGI. It is essentially, a > fairly easy way to integrate any executable into a web application. > My sense that this use remains sufficiently widespread that we > should not discontinue it. > > Maybe a topic for discussion on users@ ? Sure. - -chris -----BEGIN PGP SIGNATURE----- Comment: Using GnuPG with Thunderbird - https://www.enigmail.net/ iQIzBAEBCAAdFiEEMmKgYcQvxMe7tcJcHPApP6U8pFgFAl2bVmsACgkQHPApP6U8 pFhpGQ/+PWCpG7pJGeVHULrwDHMy3VkOc4OIcnt17gfcm5IXL9ZVDquaWc8dsCBb iB5XNZ458RYwi7ewwQ3xI7il+Utnij8zFCHWaOSlPqbfb2VYrkSUD7/esJTqufhO B3Sonkw6hTSov4+/GgdQTee0hN6rmuu2MrLpL0lU0xcz9wITDGbb16S4weBpDynW cXCcQHYgT4nGvzayevhHqyiiMom0aC/O/ZwwkWgZf/JWb9SSw0P1b2dTulBbranL DkGdYt+m5WaawZ40GVwh6sYT3dVlGkTebKEG5PFSJY36NbDJ1tIUKxCGeUOXyyCg Qqrk42VdxjvXWZ+GmuFJegACExIlxiH8miM1RG2qaN75Irt+mEygvsX3GcG2uIwQ HXcQpbf4uPJEBZ/Q954b2yXkvrn/0QHXhVsFVq+aTc6C6wmFRk53djgblHduOnBw QPD3/Q5Eeh2btu67sSnAoFkAhr0/y11Kfc5iSdRqcLa4qdcG+U8TEshpoavX10az 9BOsELcutJ/EPWiXttd0IFn5Bt+zKIlIURRuXQGbxTYm6v69XvUz95Leb+qg/2+f 50kXRyqHmIU9/6Kxzv2FZZEIEnVnEg6pSYkTRXyG7y2Z4GNHvp7vnkXuwPDbdZK9 dw3rW223KpuxvXuoCHc+zzelcKm3ejiOCBBXBxhchswNwUxvzjo= =qU2J -----END PGP SIGNATURE----- --------------------------------------------------------------------- To unsubscribe, e-mail: dev-unsubscr...@tomcat.apache.org For additional commands, e-mail: dev-h...@tomcat.apache.org
