httpd-bugs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
Subject DO NOT REPLY [Bug 50964] New: Apache HTTPD 2.2 does not parse nested server side includes properly
Date Thu, 24 Mar 2011 00:37:36 GMT

           Summary: Apache HTTPD 2.2 does not parse nested server side
                    includes properly
           Product: Apache httpd-2
           Version: 2.2.17
          Platform: PC
        OS/Version: All
            Status: NEW
          Severity: minor
          Priority: P2
         Component: mod_include

When enabling includes within HTTPD, Apache 2.2 only parses first-level
<!--#include virtual="/some_file.shtml" --> includes.

Nested includes, while maybe not conventional, should be supported by the

Such situations can occur when a header is created by using something like:
<!--#include virtual="/header.shtml" -->

and within header.shtml it has additional includes like:
<!--#include virtual="/banner.shtml" -->
<!--#include virtual="/contacts.shtml" -->

When loaded by apache, it responds by passing this data as plaintext.

Recommended solution:
Enable a directive enabling the operator to specify how deep httpd should parse
included documents. Set the default to 1, allow overwrite to some reasonable
max such as 10.

Doing this would allow people to nest server side includes without the
potential of DOSing the system via infinite recursion (in the case of a
self-referencing or otherwise erroneously-coded html doc).

Configure bugmail:
------- You are receiving this mail because: -------
You are the assignee for the bug.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message