Author: remy.maucherat(a)jboss.com
Date: 2010-08-18 08:40:08 -0400 (Wed, 18 Aug 2010)
New Revision: 1534
Modified:
trunk/java/org/apache/catalina/ssi/SSIFilter.java
trunk/java/org/apache/catalina/ssi/SSIProcessor.java
trunk/java/org/apache/catalina/ssi/SSIServlet.java
trunk/webapps/docs/changelog.xml
trunk/webapps/docs/ssi-howto.xml
Log:
- Disable SSI exec by default.
Modified: trunk/java/org/apache/catalina/ssi/SSIFilter.java
===================================================================
--- trunk/java/org/apache/catalina/ssi/SSIFilter.java 2010-08-18 10:01:08 UTC (rev 1533)
+++ trunk/java/org/apache/catalina/ssi/SSIFilter.java 2010-08-18 12:40:08 UTC (rev 1534)
@@ -43,11 +43,11 @@
* from within web.xml.
*
* @author David Becker
- * @version $Revision$, $Date$
+ * @version $Id$
* @see org.apache.catalina.ssi.SSIServlet
*/
public class SSIFilter implements Filter {
- protected FilterConfig config = null;
+ protected FilterConfig config = null;
/** Debug level for this servlet. */
protected int debug = 0;
/** Expiration time in seconds for the doc. */
@@ -55,10 +55,12 @@
/** virtual path can be webapp-relative */
protected boolean isVirtualWebappRelative = false;
/** regex pattern to match when evaluating content types */
- protected Pattern contentTypeRegEx = null;
- /** default pattern for ssi filter content type matching */
- protected Pattern shtmlRegEx =
+ protected Pattern contentTypeRegEx = null;
+ /** default pattern for ssi filter content type matching */
+ protected Pattern shtmlRegEx =
Pattern.compile("text/x-server-parsed-html(;.*)?");
+ /** Allow exec (normally blocked for security) */
+ protected boolean allowExec = false;
//----------------- Public methods.
@@ -69,8 +71,8 @@
* if an error occurs
*/
public void init(FilterConfig config) throws ServletException {
- this.config = config;
-
+ this.config = config;
+
if (config.getInitParameter("debug") != null) {
debug = Integer.parseInt(config.getInitParameter("debug"));
}
@@ -87,6 +89,8 @@
if (config.getInitParameter("expires") != null)
expires = Long.valueOf(config.getInitParameter("expires"));
+ allowExec =
Boolean.parseBoolean(config.getInitParameter("allowExec"));
+
if (debug > 0)
config.getServletContext().log(
"SSIFilter.init() SSI invoker started with
'debug'=" + debug);
@@ -125,7 +129,7 @@
new SSIServletExternalResolver(config.getServletContext(), req,
res, isVirtualWebappRelative, debug, encoding);
SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
- debug);
+ debug, allowExec);
// prepare readers/writers
Reader reader =
@@ -155,10 +159,10 @@
Matcher shtmlMatcher =
shtmlRegEx.matcher(responseIncludeWrapper.getContentType());
if (shtmlMatcher.matches()) {
- // Convert shtml mime type to ordinary html mime type but preserve
+ // Convert shtml mime type to ordinary html mime type but preserve
// encoding, if any.
- String enc = shtmlMatcher.group(1);
- res.setContentType("text/html" + ((enc != null) ? enc :
""));
+ String enc = shtmlMatcher.group(1);
+ res.setContentType("text/html" + ((enc != null) ? enc :
""));
}
}
@@ -177,5 +181,6 @@
}
public void destroy() {
+ // NOOP
}
}
Modified: trunk/java/org/apache/catalina/ssi/SSIProcessor.java
===================================================================
--- trunk/java/org/apache/catalina/ssi/SSIProcessor.java 2010-08-18 10:01:08 UTC (rev
1533)
+++ trunk/java/org/apache/catalina/ssi/SSIProcessor.java 2010-08-18 12:40:08 UTC (rev
1534)
@@ -32,7 +32,7 @@
*
* @author Dan Sandberg
* @author David Becker
- * @version $Revision$, $Date$
+ * @version $Id$
*/
public class SSIProcessor {
/** The start pattern */
@@ -41,13 +41,17 @@
protected final static String COMMAND_END = "-->";
protected final static int BUFFER_SIZE = 4096;
protected SSIExternalResolver ssiExternalResolver;
- protected HashMap commands = new HashMap();
+ protected HashMap<String,SSICommand> commands =
+ new HashMap<String,SSICommand>();
protected int debug;
+ protected final boolean allowExec;
- public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug) {
+ public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug,
+ boolean allowExec) {
this.ssiExternalResolver = ssiExternalResolver;
this.debug = debug;
+ this.allowExec = allowExec;
addBuiltinCommands();
}
@@ -55,7 +59,9 @@
protected void addBuiltinCommands() {
addCommand("config", new SSIConfig());
addCommand("echo", new SSIEcho());
- addCommand("exec", new SSIExec());
+ if (allowExec) {
+ addCommand("exec", new SSIExec());
+ }
addCommand("include", new SSIInclude());
addCommand("flastmod", new SSIFlastmod());
addCommand("fsize", new SSIFsize());
@@ -133,8 +139,8 @@
// change
// during the loop
String configErrMsg = ssiMediator.getConfigErrMsg();
- SSICommand ssiCommand = (SSICommand)commands
- .get(strCmd.toLowerCase(Locale.ENGLISH));
+ SSICommand ssiCommand =
+ commands.get(strCmd.toLowerCase(Locale.ENGLISH));
String errorMessage = null;
if (ssiCommand == null) {
errorMessage = "Unknown command: " + strCmd;
@@ -322,4 +328,4 @@
protected boolean isQuote(char c) {
return c == '\'' || c == '\"' || c == '`';
}
-}
+}
\ No newline at end of file
Modified: trunk/java/org/apache/catalina/ssi/SSIServlet.java
===================================================================
--- trunk/java/org/apache/catalina/ssi/SSIServlet.java 2010-08-18 10:01:08 UTC (rev 1533)
+++ trunk/java/org/apache/catalina/ssi/SSIServlet.java 2010-08-18 12:40:08 UTC (rev 1534)
@@ -41,7 +41,7 @@
* @author Amy Roh
* @author Dan Sandberg
* @author David Becker
- * @version $Revision$, $Date$
+ * @version $Id$
*/
public class SSIServlet extends HttpServlet {
/** Debug level for this servlet. */
@@ -56,6 +56,8 @@
protected String inputEncoding = null;
/** Output encoding. If not specified, uses platform default */
protected String outputEncoding = "UTF-8";
+ /** Allow exec (normally blocked for security) */
+ protected boolean allowExec = false;
//----------------- Public methods.
@@ -65,6 +67,7 @@
* @exception ServletException
* if an error occurs
*/
+ @Override
public void init() throws ServletException {
if (getServletConfig().getInitParameter("debug") != null)
@@ -83,6 +86,9 @@
if (getServletConfig().getInitParameter("outputEncoding") != null)
outputEncoding =
getServletConfig().getInitParameter("outputEncoding");
+ allowExec = Boolean.parseBoolean(
+ getServletConfig().getInitParameter("allowExec"));
+
if (debug > 0)
log("SSIServlet.init() SSI invoker started with 'debug'=" +
debug);
@@ -101,6 +107,7 @@
* @exception ServletException
* if an error occurs
*/
+ @Override
public void doGet(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
if (debug > 0) log("SSIServlet.doGet()");
@@ -121,6 +128,7 @@
* @exception ServletException
* if an error occurs
*/
+ @Override
public void doPost(HttpServletRequest req, HttpServletResponse res)
throws IOException, ServletException {
if (debug > 0) log("SSIServlet.doPost()");
@@ -137,7 +145,7 @@
* a value of type 'HttpServletResponse'
*/
protected void requestHandler(HttpServletRequest req,
- HttpServletResponse res) throws IOException, ServletException {
+ HttpServletResponse res) throws IOException {
ServletContext servletContext = getServletContext();
String path = SSIServletRequestUtil.getRelativePath(req);
if (debug > 0)
@@ -178,7 +186,7 @@
new SSIServletExternalResolver(getServletContext(), req, res,
isVirtualWebappRelative, debug, inputEncoding);
SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
- debug);
+ debug, allowExec);
PrintWriter printWriter = null;
StringWriter stringWriter = null;
if (buffered) {
Modified: trunk/webapps/docs/changelog.xml
===================================================================
--- trunk/webapps/docs/changelog.xml 2010-08-18 10:01:08 UTC (rev 1533)
+++ trunk/webapps/docs/changelog.xml 2010-08-18 12:40:08 UTC (rev 1534)
@@ -41,6 +41,9 @@
<fix>
CSRF filter updates. (markt)
</fix>
+ <fix>
+ <bug>48960</bug>: Disable SSI exec by default, and add allowExec
configuration. (markt)
+ </fix>
</changelog>
</subsection>
<subsection name="Coyote">
Modified: trunk/webapps/docs/ssi-howto.xml
===================================================================
--- trunk/webapps/docs/ssi-howto.xml 2010-08-18 10:01:08 UTC (rev 1533)
+++ trunk/webapps/docs/ssi-howto.xml 2010-08-18 12:40:08 UTC (rev 1534)
@@ -85,6 +85,7 @@
the default platform encoding.</li>
<li><strong>outputEncoding</strong> - The encoding to be used for the
result
of the SSI processing. Default is UTF-8.</li>
+<li><strong>allowExec</strong> - Allow SSI exec. Default is
false.</li>
</ul>
</p>
@@ -108,6 +109,7 @@
<li><strong>isVirtualWebappRelative</strong> - Should
"virtual" SSI directive
paths be interpreted as relative to the context root, instead of the server
root? (0=false, 1=true) Default 0 (false).</li>
+<li><strong>allowExec</strong> - Allow SSI exec. Default is
false.</li>
</ul>
</p>