httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <hart...@ooo.lanl.gov>
Subject Re: votes for 0.6 SUMMARY
Date Fri, 14 Apr 1995 15:31:26 GMT
> 
> On Fri, 14 Apr 1995, Rob Hartill wrote:
> > > E66_cgi_no_cmd_incs.txt 		-1
> > > Sounds like there are some better solutions afoot.
> > 
> > I'd like to know why Brian and Randy have vetoed this.
> 
> It has nothing to do with the name or the data structures, and everything 
> to do with the conviction that allowing #include to point to CGI scripts 
> solves this problem cleanly without introducing new security holes nor 
> new configuration options.  I would love to be proved wrong on this.

Allowing CGI includes is not much worse than  worse than allowing the 
CGI themsleves

If you don't want CMD includes - which are obviuosly insecure, then there's
no way to have CGI includes either. At least with this patch you
get the choice, and can make your own mind up.

With monitored ScriptAliased cgi (which many sites have), the 
webmaster "knows" what the scripts do, he trusts them. 
The "cmd" stuff cannot be monitored if users have the ability to
do includes.

I just don't understand the objection. There are no "new" security holes
which come with this, but a few holes will be plugged with it.


robh

Mime
View raw message