Return-Path: Delivered-To: apmail-httpd-bugs-archive@www.apache.org Received: (qmail 98526 invoked from network); 24 Mar 2011 00:37:58 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (140.211.11.3) by minotaur.apache.org with SMTP; 24 Mar 2011 00:37:58 -0000 Received: (qmail 15726 invoked by uid 500); 24 Mar 2011 00:37:58 -0000 Delivered-To: apmail-httpd-bugs-archive@httpd.apache.org Received: (qmail 15690 invoked by uid 500); 24 Mar 2011 00:37:58 -0000 Mailing-List: contact bugs-help@httpd.apache.org; run by ezmlm Precedence: bulk List-Post: List-Help: List-Unsubscribe: Reply-To: "Apache HTTPD Bugs Notification List" List-Id: Delivered-To: mailing list bugs@httpd.apache.org Received: (qmail 15681 invoked by uid 99); 24 Mar 2011 00:37:58 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Mar 2011 00:37:58 +0000 X-ASF-Spam-Status: No, hits=-2000.0 required=5.0 tests=ALL_TRUSTED X-Spam-Check-By: apache.org Received: from [140.211.11.22] (HELO thor.apache.org) (140.211.11.22) by apache.org (qpsmtpd/0.29) with ESMTP; Thu, 24 Mar 2011 00:37:57 +0000 Received: from thor.apache.org (localhost [127.0.0.1]) by thor.apache.org (8.13.8+Sun/8.13.8) with ESMTP id p2O0bb9P016917 for ; Thu, 24 Mar 2011 00:37:37 GMT Received: (from daemon@localhost) by thor.apache.org (8.13.8+Sun/8.13.8/Submit) id p2O0ba8E016916; Wed, 23 Mar 2011 20:37:36 -0400 (EDT) Date: Wed, 23 Mar 2011 20:37:36 -0400 (EDT) From: bugzilla@apache.org To: bugs@httpd.apache.org Subject: DO NOT REPLY [Bug 50964] New: Apache HTTPD 2.2 does not parse nested server side includes properly X-Bugzilla-Reason: AssignedTo X-Bugzilla-Type: new X-Bugzilla-Watch-Reason: None X-Bugzilla-Product: Apache httpd-2 X-Bugzilla-Component: mod_include X-Bugzilla-Keywords: X-Bugzilla-Severity: minor X-Bugzilla-Who: nllamb@msn.com X-Bugzilla-Status: NEW X-Bugzilla-Priority: P2 X-Bugzilla-Assigned-To: bugs@httpd.apache.org X-Bugzilla-Target-Milestone: --- X-Bugzilla-Changed-Fields: Message-ID: X-Bugzilla-URL: https://issues.apache.org/bugzilla/ Auto-Submitted: auto-generated Content-Type: text/plain; charset="UTF-8" MIME-Version: 1.0 https://issues.apache.org/bugzilla/show_bug.cgi?id=50964 Summary: Apache HTTPD 2.2 does not parse nested server side includes properly Product: Apache httpd-2 Version: 2.2.17 Platform: PC OS/Version: All Status: NEW Severity: minor Priority: P2 Component: mod_include AssignedTo: bugs@httpd.apache.org ReportedBy: nllamb@msn.com When enabling includes within HTTPD, Apache 2.2 only parses first-level includes. Nested includes, while maybe not conventional, should be supported by the server. Such situations can occur when a header is created by using something like: and within header.shtml it has additional includes like: etc. When loaded by apache, it responds by passing this data as plaintext. Recommended solution: Enable a directive enabling the operator to specify how deep httpd should parse included documents. Set the default to 1, allow overwrite to some reasonable max such as 10. Doing this would allow people to nest server side includes without the potential of DOSing the system via infinite recursion (in the case of a self-referencing or otherwise erroneously-coded html doc). -- Configure bugmail: https://issues.apache.org/bugzilla/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. --------------------------------------------------------------------- To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org For additional commands, e-mail: bugs-help@httpd.apache.org