> Remy Maucherat wrote: > > If you give the appropriate permissions to allow SSI and CGI, you're > > actually giving AllPermissions anyway (since you're allowing a native script > > or executable to run, which is not constrained by the Java sandbox), so I'm > > missing the point here. > > > > Yes, once control is handed over to a native executable from the CGI servlet, > all sandbox protections are lost. > But perhaps the Tomcat admin only wants to allow the user to execute specific CGI > scripts which are known to be secure and can not be modified. By configuring a > policy for the CGI servlet the admin can restrict what CGI scripts can be > read and executed using a FilePermission.
Yes, you could do that. That's still quite risky (any vulnerability in the script itself, and your server is compromised). > > This seems reasonable. > > (Of course, it's going to break all the scripts yet again ;-)) > > Which scripts? - The Catalina scripts (obviously) - The installer scripts - My Slide build script But it's ok, really. It's not like it's the first time or the last time it happens ;-) You can do the updates to the Catalina scripts, and I'll do the rest. Remy -- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>