httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (David Robinson)
Subject Re: Apache incompatibility
Date Fri, 20 Oct 1995 18:08:00 GMT
>As I have understood and used it:
>file="..." is a path (absolute or relative) to an included document.
>virtual="..." uses DOCUMENTROOT for the active server and *must* begin

file= a relative path to a file in the same directory or a sub-dir ONLY
virtual= an absolute URL (i.e. starts from DocumentRoot)

file= a relative or absolute file to anywhere
virtual a _relative_ or absolute URL (so is always in the doucment tree

>From a security standpoint, I would prefer to preserve the functionality
>above and perhaps restrict file="..." to be a file within the DOCUMENTROOT
>filespace.  Use of FollowSymlink etc. should be our controls of this

You have that in Apache with the extra functionality of virtual=...
This extra functionality hurts nobody.

However, you also have the extra functionality of file=xxxx to point to
any file on the system. The suggestion is that sysadmins wouldn't expect
this, and might reasonably complain that they didn't know they were
allowing their users access to this feature when they switched to Apache.


View raw message