"Craig R. McClanahan" wrote:
>
> > >
> > > 2) Addition to default context
> > >
> > > Would this CGI servlet be added to the default context similar to
> > > SsiInvokerServlet?
> >
> > Yes.
> >
>
> I would suggest that we do this, but leave it commented out. The reason
> is that the potential for mischief is *much* larger when we are talking
> about executing outside programs instead of just displaying content back
> to a web browser. I vote for making the Tomcat sysadmin have to enable
> this feature explicitly if they want it.
>
> Once we implement the #exec functionality in SSI, the same argument would
> apply here -- unless we added a config option to disable the #exec by
> default but left everything else alone.
+1 on having CGI in web.xml but commented out, regarding SSI I suggest
we add a configure property(like Apaches NoExec) that set's whether #exec is
allowed or not. And if that property is not set it defaults to NoExec.
So for a standard setup SSI would be allowed but you'd have to bug your
Tomcat sysadmin to have the #exec option enabled.
Sort of like a standard Apache setup.
..bip
