As promissed... I've attached my patches to allow the "exec" directive to be enabled or disabled (disabled by default). The extra safety check I've built in isn't really necessary, but it causes no harm and may prevent some accidental foot-shootings in the future.
ssi-exec.patch is a diff -u from the catalina/src directory. (We'll see if the attachment actually works to the list since I've had problems with that before.) Left up to discussion is the vulnerability of the jar file itself. I contend that since the jar is in the server/lib class loader that it is perfectly safe. Indeed, when I played with moving it into shared it resulted in broken dependencies with at least one class in server/lib. If it is not safe then it brings up a larger issue since all server/lib class have AllPermission and can therefore do whatever they want. If these classes are exploitable by webapps then it seems to me that security should be set more fine grained (including not allowing file execute for any file). Otherwise, there's always risk that some backdoor will be left open. -Paul
Index: conf/web.xml =================================================================== RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/conf/web.xml,v retrieving revision 1.31 diff -u -r1.31 web.xml --- conf/web.xml 2001/11/21 17:36:52 1.31 +++ conf/web.xml 2001/11/29 08:05:04 @@ -165,6 +165,12 @@ <!-- be ignored and no errors shown? --> <!-- (0=false, 1=true) [1] --> <!-- --> + <!-- allowExecDirective --> + <!-- Should the exec directive be allowed in SSI --> + <!-- pages? When false, exec will be treated like --> + <!-- an unknown command. --> + <!-- (0=false, 1=true) [0] --> + <!-- --> <!-- IMPORTANT: To use the SSI servlet, you also need to rename the --> <!-- $CATALINA_HOME/server/lib/servlets-ssi.renametojar file --> <!-- to $CATALINA_HOME/server/lib/servlets-ssi.jar --> @@ -194,6 +200,10 @@ <init-param> <param-name>ignoreUnsupportedDirective</param-name> <param-value>1</param-value> + </init-param> + <init-param> + <param-name>allowExecDirective</param-name> + <param-value>0</param-value> </init-param> <load-on-startup>4</load-on-startup> </servlet> Index: share/org/apache/catalina/servlets/SsiInvokerServlet.java =================================================================== RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/servlets/SsiInvokerServlet.java,v retrieving revision 1.14 diff -u -r1.14 SsiInvokerServlet.java --- share/org/apache/catalina/servlets/SsiInvokerServlet.java 2001/11/29 03:50:48 1.14 +++ share/org/apache/catalina/servlets/SsiInvokerServlet.java 2001/11/29 08:05:05 @@ -161,6 +161,13 @@ } try { + value = getServletConfig().getInitParameter("allowExecDirective"); + +ssiDispatcher.setAllowExecDirective((Integer.parseInt(value)>0)?true:false); + } catch (Throwable t) { + ; + } + + try { value = getServletConfig().getInitParameter("expires"); expires = Long.valueOf(value); } catch (NumberFormatException e) { Index: share/org/apache/catalina/util/ssi/SsiDispatcher.java =================================================================== RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiDispatcher.java,v retrieving revision 1.2 diff -u -r1.2 SsiDispatcher.java --- share/org/apache/catalina/util/ssi/SsiDispatcher.java 2001/11/29 03:41:26 1.2 +++ share/org/apache/catalina/util/ssi/SsiDispatcher.java 2001/11/29 08:05:06 @@ -76,7 +76,7 @@ * @version $Revision: 1.2 $, $Date: 2001/11/29 03:41:26 $ * @author Paul Speed */ -public class SsiDispatcher { +public final class SsiDispatcher { /** * Determines how to treate unknown command references. @@ -84,6 +84,11 @@ private boolean ignoreUnsupportedDirective = true; /** + * True if the exec command is allowed. + */ + private boolean allowExec = false; + + /** * Contains the SSI command instances. This is shared * across all dispatcher instances. */ @@ -99,7 +104,6 @@ ssiCommands.put("echo", new SsiEcho()); ssiCommands.put("fsize", new SsiFsize()); ssiCommands.put("flastmod", new SsiFlastmod()); - ssiCommands.put("exec", new SsiExec()); ssiCommands.put("set", new SsiSet()); SsiConditional cond = new SsiConditional(); @@ -107,6 +111,29 @@ ssiCommands.put("elif", cond); ssiCommands.put("else", cond); ssiCommands.put("endif", cond); + } + + /** + * Set to true if the "exec" directive is allowed, false otherwise. + */ + public void setAllowExecDirective( boolean flag ) { + this.allowExec = flag; + + if (this.allowExec) { + // For extra safety, the exec object makes sure that + // the flag is set on the dispatcher that is passed. + ssiCommands.put("exec", new SsiExec(this)); + } else { + // Just in case + ssiCommands.remove("exec"); + } + } + + /** + * Returns true if the "exec" directive is allowed. + */ + public boolean allowExecDirective() { + return allowExec; } /** Index: share/org/apache/catalina/util/ssi/SsiExec.java =================================================================== RCS file: /home/cvspublic/jakarta-tomcat-4.0/catalina/src/share/org/apache/catalina/util/ssi/SsiExec.java,v retrieving revision 1.5 diff -u -r1.5 SsiExec.java --- share/org/apache/catalina/util/ssi/SsiExec.java 2001/11/29 03:41:26 1.5 +++ share/org/apache/catalina/util/ssi/SsiExec.java 2001/11/29 08:05:06 @@ -86,6 +86,18 @@ public final class SsiExec extends AbstractSsiCommand { /** + * Constructs a new SsiExec object but will fail if + * the specified dispatcher has exec capabilities + * turned off. + */ + public SsiExec( SsiDispatcher dispatcher ) { + if (!dispatcher.allowExecDirective()) { + throw new IllegalArgumentException( + "Specified dispatcher does not allow exec." ); + } + } + + /** * Runs this command using the specified parameters. * * @param cmdName The name that was used to lookup this
-- To unsubscribe, e-mail: <mailto:[EMAIL PROTECTED]> For additional commands, e-mail: <mailto:[EMAIL PROTECTED]>