httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@tees.elsevier.co.uk>
Subject Re: Apache incompatibility
Date Thu, 19 Oct 1995 14:08:22 GMT
> I've uploaded a patch for this:
> 
> 31_include.0.8.15.patch
> -----------------------
> 
> Subject: SSI #include file="/foo/bar" shouldn't work
> Affects: mod_include.c
> ChangeLog: Disallow includes of files not in the same directory as the
>            .shtml file.

Wups.  But I'm confused by the wording in the change log.  It seems to imply
that you don't want to allow 'file' to operate on subdirectories...

Just for the record, because I think it's not something that's terribly
well documented in any doc I've ever seen, and I don't want to be further
confused by other people's interpretations - What is the difference, as we
understand it, between:

	#include file="....."

and 
	#include virtual="....."

Suggestions:

file	"....." can be in SAME directory as including file

	file="local_header.html"

	"....." can be in subdirectories

	file="Way/Down/There/foo.html"

	"....." can NOT be anywhere else

	file="/This/Is/Just/Plain/r0ng.html"
	file="../../As/Is/thi5.html"		<-- YOU NEED TO CHECK THIS TOO!
						    IF WE'RE TO BE NCSA 1.3R
						    COMPATIBLE

virtual	"....." can be anywhere in UNIX space eg:

	virtual="/etc/passwd"

	"....." can be anywhere in document space

	virtual="../../Admin/default_copyright.html"

	
References:

   http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html


SUMMARY

It's still broken and this patch will hurt people ;)

Cheers,
Ay.


Mime
View raw message