Hi,
> From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]]On
> Behalf Of Craig R. McClanahan
> Sent: Sunday, August 19, 2001 1:17 AM
>
> On Sun, 19 Aug 2001, Deacon Marcus wrote:
>
> > Hi,
> >
> > > -----Original Message-----
> > > From: Pier P. Fumagalli [mailto:[EMAIL PROTECTED]]
> > > Sent: Saturday, August 18, 2001 10:44 AM
> > > To: tomcat dev jakarta.apache.org
> > > Subject: CGI wrapper in Tomcat 4.0 b7
> > >
> > [...]
> > >
> > > (BTW, wouldn't it be wise to disable CGI execution in the default
> > > configuration? I don't know, after hearing people running Tomcat
> > > as root, I
> > > feel we really should!)
> >
> > You mean it's _enabled_ by _default_ ??
> > /me is running to his server's console to immediately disable
> CGI before one
> > of his customers find out it's enabled and it's too late ;/
> >
>
> It's enabled by default for CGI scripts *inside* your web app, whose
> context relative URI paths match "/cgi-bin/*" and where the corresponding
> files are under "/WEB-INF/cgi". Have any of those?
Haven't currently, but it's perfectly ok for someone having standard www
package on my servers to create /cgi-bin and upload there anything he wants,
which wasn't part of the sold package anyway, so they shouldn't miss the
possibility and I can sleep without fearing someone'll upload malicious /
broken cgi.
> > Greetings, deacon Marcus
> >
> >
> >
> >
> Craig (who is amused by this, since Apache itself ships with CGI enabled)
I didn't choose Tomcat stand-alone to allow some ancient-ware cgi running on
my hardware.
Greetings, deacon Marcus
