httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: IncludesYesCGInoCMD
Date Mon, 17 Apr 1995 03:52:27 GMT
On Sat, 15 Apr 1995, Roy T. Fielding wrote:
> My opinion is that I shouldn't have to add an IncludesNOEXECCGI (or whatever)
> just to make my existing status (w/1.3R) regarding security and unnecessary
> server load the same under Apache.  I do use NOEXEC to prevent users from
> including CGI stuff -- I don't trust my users and I don't trust CGI scripts
> (even after I have checked them).

But... is there a big difference between 
<!--#include virtual="/cgi-bin/" --> and
<a href="/cgi-bin/">Click here for nudie gifs!</a>?
I.e., if don't trust your users to create CGI scripts, you're not going 
to give them the chance to #include one of theirs anyways.  

> It would make more sense to keep IncludesNoExec as is and add
>     IncludesNoExecCMD
> which just turns off exec cmd.

I'm just trying to keep featuritis and server bloat under control.  Of 
course if everyone wants to make this the Emacs of servers (lisp 
interpreter, anyone? :) then I guess I'm outvoted.

Roy, if you come back and say it's truely not the same, then I'll relent.


--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--  http://www.[hyperreal,organic].com/

View raw message