httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: votes for 0.6 SUMMARY
Date Sat, 15 Apr 1995 00:38:53 GMT
On Fri, 14 Apr 1995, Rob Hartill wrote:
> > > I'd like to know why Brian and Randy have vetoed this.
> > 
> > It has nothing to do with the name or the data structures, and everything 
> > to do with the conviction that allowing #include to point to CGI scripts 
> > solves this problem cleanly without introducing new security holes nor 
> > new configuration options.  I would love to be proved wrong on this.
> 
> Allowing CGI includes is not much worse than allowing the 
> CGI themsleves.

Exactly - so, was there a patch to allow 
<!--#include virtual="/cgi-bin/foo" --> and I missed it?  And if so, what 
does IncludesNoExecYesCGI let you do that the above + IncludesNoExec
doesn't?? 

Sometimes I think some of these issues need to be resolved in a forum 
other than email....

> With monitored ScriptAliased cgi (which many sites have), the 
> webmaster "knows" what the scripts do, he trusts them. 
> The "cmd" stuff cannot be monitored if users have the ability to
> do includes.

Totally understood.

> I just don't understand the objection. There are no "new" security holes
> which come with this, but a few holes will be plugged with it.

I think we're crossing wires somewhere....

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  brian@hyperreal.com  http://www.[hyperreal,organic].com/


Mime
View raw message