httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@avron.ICS.UCI.EDU>
Subject Re: IncludesYesCGInoCMD
Date Sun, 16 Apr 1995 06:34:52 GMT
David wrote:

> Re Patch E66, which adds an IncludesYesCGInoCMD
> I don't think one should have to change ones config files to allow #include
> cgi scripts, as the security risk is low.
> I would rather  Includes and IncludesNOEXEC allow #include of cgi scripts,
> and instead create a IncludesNOEXECCGI which disallowed both #cmd _and_
> #include of a cgi script. I don't think many people would need to use it,
> although they might use it out of paranoia.

My opinion is that I shouldn't have to add an IncludesNOEXECCGI (or whatever)
just to make my existing status (w/1.3R) regarding security and unnecessary
server load the same under Apache.  I do use NOEXEC to prevent users from
including CGI stuff -- I don't trust my users and I don't trust CGI scripts
(even after I have checked them).

It would make more sense to keep IncludesNoExec as is and add

    IncludesNoExecCMD

which just turns off exec cmd.

......Roy

Mime
View raw message