--- Bip Thelin <[EMAIL PROTECTED]> wrote:
> "Craig R. McClanahan" wrote:
> >
> > > >
> > > > 2) Addition to default context
> > > >
> > > > Would this CGI servlet be added to the default
> context similar to
> > > > SsiInvokerServlet?
> > >
> > > Yes.
> > >
> >
> > I would suggest that we do this, but leave it
> commented out. The reason
> > is that the potential for mischief is *much*
> larger when we are talking
> > about executing outside programs instead of just
> displaying content back
> > to a web browser. I vote for making the Tomcat
> sysadmin have to enable
> > this feature explicitly if they want it.
> >
> > Once we implement the #exec functionality in SSI,
> the same argument would
> > apply here -- unless we added a config option to
> disable the #exec by
> > default but left everything else alone.
>
> +1 on having CGI in web.xml but commented out,
> regarding SSI I suggest
> we add a configure property(like Apaches NoExec)
> that set's whether #exec is
> allowed or not. And if that property is not set it
> defaults to NoExec.
>
> So for a standard setup SSI would be allowed but
> you'd have to bug your
> Tomcat sysadmin to have the #exec option enabled.
> Sort of like a standard Apache setup.
>
> ..bip
+1 on what Bip said.
mel
__________________________________________________
Do You Yahoo!?
Get email at your own domain with Yahoo! Mail.
http://personal.mail.yahoo.com/?.refer=text
