httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@avron.ICS.UCI.EDU>
Subject Re: IncludesYesCGInoCMD
Date Tue, 18 Apr 1995 02:39:25 GMT
Brian asked:

> But... is there a big difference between 
> <!--#include virtual="/cgi-bin/" --> and
> <a href="/cgi-bin/">Click here for nudie gifs!</a>?
> I.e., if don't trust your users to create CGI scripts, you're not going 
> to give them the chance to #include one of theirs anyways.  

Yes -- CGI scripts are usually intended to be used in a certain way
and with a certain purpose in mind, and that is how I test them when
people ask me to put one in the scripts directory.  Furthermore, I give
them a reasonably distinctive name so that a person selecting a hypertext
link can see that they are about to access a script (assuming they actually
care about these things).

In contrast, an #include cgi="" is activated without the user's knowledge
and within a different context (perhaps) than what was intended by the
script author.

As security concerns go, this ones pretty marginal.  However, it is
significant enough for me to pro-actively avoid the maintenance hassles
of having to care about it.  As it stands now, I don't even have the time
to check people's normal CGI scripts, so I just disallow them altogether
until the department pulls together the funds for a real webmaster.


View raw message