Disable enableCmdLineArguments be default. Hardening for CVE-2019-0232
diff --git a/java/org/apache/catalina/servlets/CGIServlet.java b/java/org/apache/catalina/servlets/CGIServlet.java
index 56d912c..3008479 100644
--- a/java/org/apache/catalina/servlets/CGIServlet.java
+++ b/java/org/apache/catalina/servlets/CGIServlet.java
@@ -314,7 +314,7 @@
* See https://tools.ietf.org/html/rfc3875#section-4.4
* 4.4. The Script Command Line
*/
- private boolean enableCmdLineArguments = true;
+ private boolean enableCmdLineArguments = false;
/**
* Limits the encoded form of individual command line arguments. By default
diff --git a/webapps/docs/cgi-howto.xml b/webapps/docs/cgi-howto.xml
index b368f3c..09241ab 100644
--- a/webapps/docs/cgi-howto.xml
+++ b/webapps/docs/cgi-howto.xml
@@ -119,7 +119,7 @@
<code>[a-zA-Z0-9\Q%;/?:@&,$-_.!~*'()\E]+</code></li>
<li><strong>enableCmdLineArguments</strong> - Are command line arguments
generated from the query string as per section 4.4 of 3875 RFC? The default is
-<code>true</code>.</li>
+<code>false</code>.</li>
<li><strong>environment-variable-</strong> - An environment to be set for the
execution environment of the CGI script. The name of variable is taken from the
parameter name. To configure an environment variable named FOO, configure a
diff --git a/webapps/docs/changelog.xml b/webapps/docs/changelog.xml
index 7961011..8b9483b 100644
--- a/webapps/docs/changelog.xml
+++ b/webapps/docs/changelog.xml
@@ -111,6 +111,11 @@
new initialisation parameter <code>cmdLineArgumentsDecoded</code>. This
is the fix for CVE-2019-0232. (markt)
</add>
+ <update>
+ Change the default for the <code>enableCmdLineArguments</code> parameter
+ of the CGI servlet from <code>true</code> to <code>false</code> as
+ additional hardening against CVE-2019-0232. (markt)
+ </update>
</changelog>
</subsection>
<subsection name="Coyote">
