Feature #2051


[PATCH] mod_ssi Add configuration item to disable SSI exec.

Added by benbrown almost 15 years ago. Updated over 8 years ago.

Target version:


At present lighty does allow for Server Side Includes (SSI) to be used, however it's an 'all or nothing' option, which enables the potentially dangerous 'exec' option. This could be used by malicious users of hosting provided on a lighty based platform to run arbitrary commands.

Apache has an 'IncludesNOEXEC' option, which enables SSI, however the exec option is not enabled. In order for hosting providers (which may have many customers using legacy SSI pages) to provide a similar system, I have written a patch for mod_ssi which gives a configuration option allowing the server operator to disable the exec option on SSI pages, as well as a debug flag. At present the debug flag only does one thing, it prints a message to the error log when someone tries to use the exec feature when it is disabled. However, this may be useful for further development of the plugin in the future.

I have also corrected what I assume is a typo in an error message below some of the changes I have made.

The additional config items are:

ssi.debug can be set to 1 or 0. ssi.exec can be set to "disable" or not supplied. As people may be relying on the exec feature (I really hope that they aren't!) I thought it would be safer to allow exec by default, and give the option to disable it.


Actions #1

Updated by benbrown almost 15 years ago

Forgot to say, this is for 1.4, and the patch uses revision 2613 of the lighttpd-1.4.x branch in svn as its base. It also compiles and seems to work as expected on Solaris 10 using gcc.

Actions #2

Updated by benbrown almost 15 years ago

  • % Done changed from 0 to 90
Actions #3

Updated by gstrauss over 8 years ago

  • Category set to mod_ssi
  • Target version set to 1.4.40

There are a few errors in the original patch, such as not using T_CONFIG_BOOLEAN for the config param, and the cut-n-paste of "scgi.debug" from mod_scgi.c. Also, "ssi: unknow attribute for " misspelling of "unknown" occurs 9x in the file (and is not addressed in the patch below)

Patch rewritten (and config indices will have to be slightly modified once lands)

diff --git a/src/mod_ssi.c b/src/mod_ssi.c
index 1443399..303df9b 100644
--- a/src/mod_ssi.c
+++ b/src/mod_ssi.c
@@ -107,6 +107,7 @@ SETDEFAULTS_FUNC(mod_ssi_set_defaults) {
        config_values_t cv[] = {
                { "ssi.extension",              NULL, T_CONFIG_ARRAY, T_CONFIG_SCOPE_CONNECTION },       /* 0 */
                { "ssi.content-type",           NULL, T_CONFIG_STRING, T_CONFIG_SCOPE_CONNECTION },      /* 1 */
+               { "ssi.exec",                   NULL, T_CONFIG_BOOLEAN, T_CONFIG_SCOPE_CONNECTION },     /* 2 */
                { NULL,                         NULL, T_CONFIG_UNSET, T_CONFIG_SCOPE_UNSET }

@@ -121,9 +122,11 @@ SETDEFAULTS_FUNC(mod_ssi_set_defaults) {
                s = calloc(1, sizeof(plugin_config));
                s->ssi_extension  = array_init();
                s->content_type = buffer_init();
+               s->ssi_exec = 1;

                cv[0].destination = s->ssi_extension;
                cv[1].destination = s->content_type;
+               cv[2].destination = &(s->ssi_exec);

                p->config_storage[i] = s;

@@ -712,6 +715,10 @@ static int process_ssi_stmt(server *srv, connection *con, plugin_data *p, const
                pid_t pid;
                int from_exec_fds[2];

+               if (!p->conf.ssi_exec) { /* <!--#exec ... --> disabled by config */
+                       break;
+               }
                for (i = 2; i < n; i += 2) {
                        if (0 == strcmp(l[i], "cmd")) {
                                cmd = l[i+1];
@@ -1112,6 +1119,7 @@ static int mod_ssi_patch_connection(server *srv, connection *con, plugin_data *p

+       PATCH(ssi_exec);

        /* skip the first, the global context */
        for (i = 1; i < srv->config_context->used; i++) {
@@ -1129,6 +1137,8 @@ static int mod_ssi_patch_connection(server *srv, connection *con, plugin_data *p
                        } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssi.content-type"))) {
+                       } else if (buffer_is_equal_string(du->key, CONST_STR_LEN("ssi.exec"))) {
+                               PATCH(ssi_exec);
diff --git a/src/mod_ssi.h b/src/mod_ssi.h
index aeff85e..5fad7f3 100644
--- a/src/mod_ssi.h
+++ b/src/mod_ssi.h
@@ -17,6 +17,7 @@
 typedef struct {
        array *ssi_extension;
        buffer *content_type;
+       unsigned short ssi_exec;
 } plugin_config;

 typedef struct {
Actions #4

Updated by gstrauss over 8 years ago

  • Status changed from New to Patch Pending
Actions #5

Updated by gstrauss over 8 years ago

  • Status changed from Patch Pending to Fixed

Also available in: Atom