<!-- -->
<!-- outputEncoding The encoding to use for the page that results -->
<!-- from the SSI processing. [UTF-8] -->
+ <!-- -->
+ <!-- allowExec Is use of the exec command enabled? [false] -->
<!--
<servlet>
<!-- Should "virtual" paths be interpreted as -->
<!-- relative to the context root, instead of -->
<!-- the server root? (0=false, 1=true) [0] -->
+ <!-- -->
+ <!-- allowExec Is use of the exec command enabled? [false] -->
<!--
<filter>
/** default pattern for ssi filter content type matching */
protected Pattern shtmlRegEx =
Pattern.compile("text/x-server-parsed-html(;.*)?");
+ /** Allow exec (normally blocked for security) */
+ protected boolean allowExec = false;
//----------------- Public methods.
if (config.getInitParameter("expires") != null)
expires = Long.valueOf(config.getInitParameter("expires"));
+ allowExec = Boolean.parseBoolean(config.getInitParameter("allowExec"));
+
if (debug > 0)
config.getServletContext().log(
"SSIFilter.init() SSI invoker started with 'debug'=" + debug);
new SSIServletExternalResolver(config.getServletContext(), req,
res, isVirtualWebappRelative, debug, encoding);
SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
- debug);
+ debug, allowExec);
// prepare readers/writers
Reader reader =
protected HashMap<String,SSICommand> commands =
new HashMap<String,SSICommand>();
protected int debug;
+ protected final boolean allowExec;
- public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug) {
+ public SSIProcessor(SSIExternalResolver ssiExternalResolver, int debug,
+ boolean allowExec) {
this.ssiExternalResolver = ssiExternalResolver;
this.debug = debug;
+ this.allowExec = allowExec;
addBuiltinCommands();
}
protected void addBuiltinCommands() {
addCommand("config", new SSIConfig());
addCommand("echo", new SSIEcho());
- addCommand("exec", new SSIExec());
+ if (allowExec) {
+ addCommand("exec", new SSIExec());
+ }
addCommand("include", new SSIInclude());
addCommand("flastmod", new SSIFlastmod());
addCommand("fsize", new SSIFsize());
protected String inputEncoding = null;
/** Output encoding. If not specified, uses platform default */
protected String outputEncoding = "UTF-8";
+ /** Allow exec (normally blocked for security) */
+ protected boolean allowExec = false;
//----------------- Public methods.
if (getServletConfig().getInitParameter("outputEncoding") != null)
outputEncoding = getServletConfig().getInitParameter("outputEncoding");
+ allowExec = Boolean.parseBoolean(
+ getServletConfig().getInitParameter("allowExec"));
+
if (debug > 0)
log("SSIServlet.init() SSI invoker started with 'debug'=" + debug);
new SSIServletExternalResolver(getServletContext(), req, res,
isVirtualWebappRelative, debug, inputEncoding);
SSIProcessor ssiProcessor = new SSIProcessor(ssiExternalResolver,
- debug);
+ debug, allowExec);
PrintWriter printWriter = null;
StringWriter stringWriter = null;
if (buffered) {
<bug>48297</bug>: Correctly initialise handler chain for web services
resources. (markt)
</fix>
+ <add>
+ <bug>48960</bug>: Add a new option to the SSI Servlet and SSI Filter to
+ allow the disabling of the <code>exec</code> command. This is now
+ disabled by default. Based on a patch by Yair Lenga. (markt)
+ </add>
<fix>
<bug>49030</bug>: When initializing/starting/stopping connectors and
one of them fails, do not ignore the others. (markt/kkolinko)
the default platform encoding.</li>
<li><strong>outputEncoding</strong> - The encoding to be used for the result
of the SSI processing. Default is UTF-8.</li>
+<li><strong>allowExec</strong> - Is the exec command enabled? Default is
+false.</li>
</ul>
</p>
<li><strong>isVirtualWebappRelative</strong> - Should "virtual" SSI directive
paths be interpreted as relative to the context root, instead of the server
root? (0=false, 1=true) Default 0 (false).</li>
+<li><strong>allowExec</strong> - Is the exec command enabled? Default is
+false.</li>
</ul>
</p>
projects / tomcat7.0 / commitdiff