Return-Path: owner-new-httpd
Received: by taz.hyperreal.com (8.6.10/8.6.5) id XAA16003;
 Sat, 15 Apr 1995 23:43:14 -0700
Received: from paris.ics.uci.edu by taz.hyperreal.com (8.6.10/8.6.5) with SMTP
 id XAA15998; Sat, 15 Apr 1995 23:43:12 -0700
Received: from avron.ics.uci.edu by paris.ics.uci.edu id aa08581;
          15 Apr 95 23:34 PDT
To: new-httpd@hyperreal.com
Subject: Re: IncludesYesCGInoCMD 
In-reply-to: Your message of "Thu, 13 Apr 1995 15:56:00 -0000."
             <m0rzQJa-0001VJC@mamba.ast.cam.ac.uk>
Date: Sat, 15 Apr 1995 23:34:52 -0700
From: "Roy T. Fielding" <fielding@avron.ICS.UCI.EDU>
Message-ID: <9504152334.aa08581@paris.ics.uci.edu>
Sender: owner-new-httpd@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

David wrote:

> Re Patch E66, which adds an IncludesYesCGInoCMD
> I don't think one should have to change ones config files to allow #include
> cgi scripts, as the security risk is low.
> I would rather  Includes and IncludesNOEXEC allow #include of cgi scripts,
> and instead create a IncludesNOEXECCGI which disallowed both #cmd _and_
> #include of a cgi script. I don't think many people would need to use it,
> although they might use it out of paranoia.

My opinion is that I shouldn't have to add an IncludesNOEXECCGI (or whatever)
just to make my existing status (w/1.3R) regarding security and unnecessary
server load the same under Apache.  I do use NOEXEC to prevent users from
including CGI stuff -- I don't trust my users and I don't trust CGI scripts
(even after I have checked them).

It would make more sense to keep IncludesNoExec as is and add

    IncludesNoExecCMD

which just turns off exec cmd.

......Roy