httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From d...@ast.cam.ac.uk (David Robinson)
Subject Re: votes for 0.6 SUMMARY
Date Sat, 15 Apr 1995 19:01:00 GMT
Brian wrote:
> > Allowing CGI includes is not much worse than allowing the 
> > CGI themsleves.
> 
> Exactly - so, was there a patch to allow 
> <!--#include virtual="/cgi-bin/foo" --> and I missed it?  And if so, what 
> does IncludesNoExecYesCGI let you do that the above + IncludesNoExec
> doesn't?? 
> 
> ...
> > With monitored ScriptAliased cgi (which many sites have), the 
> > webmaster "knows" what the scripts do, he trusts them. 
> > The "cmd" stuff cannot be monitored if users have the ability to
> > do includes.
> 
> Totally understood.
> 
> > I just don't understand the objection. There are no "new" security holes
> > which come with this, but a few holes will be plugged with it.
> 
> I think we're crossing wires somewhere....
> 
>        Brian

Let me explain what I see as the disagreement.

                                              Option value
                                   Includes   IncludesNoExec  IncludesNoCMD*
Current status:
  #include virtual="/cgi-bin/script"   No         No              -
  #exec cmd="./hack.pl"                Yes        No              -
Brians preference
  #include virtual="/cgi-bin/script"   Yes        Yes             -
  #exec cmd="./hack.pl"                Yes        No              -
Rob's patch                          
  #include virtual="/cgi-bin/script"   Yes        No              Yes
  #exec cmd="./hack.pl"                Yes        No              No

*Actually IncludesYesCGInoCMD

I too would prefer the behaviour of options=Includes and IncludesNoExec
to change to allow #include of CGI scripts that would be executable by
the client anyway.

I haven't checked that the patch does _not_ allow
#include=file="/my/cgi-script", i.e. only allows execution of scripts that
have a URL.

 David.

Mime
View raw message