httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Wilson <and...@tees.elsevier.co.uk>
Subject Re: Vote summary for 0.8.15
Date Fri, 03 Nov 1995 13:26:50 GMT
> >FYI, I have a tentative build of 0.8.16, built according to these votes
> >(barring *further* last-minute changes), in
> >ftp://ftp.ai.mit.edu/pub/users/rst.
> 
> Sigh; we seem to have stalled again. Can you upload that as 0.8.16?
> (At least that would make some progress.)
> 
> Outstanding problems:
> 1. // in paths
> 2. The #include file=xxx problem. Randy seems to have disappeared from this
>    list. If this problem is not fixed, then the compatibility notes will
>    need a big notice stating:
> 
>    SECURITY Feature: Unlike NCSA httpd or Apache 0.6.5, Web admins concerned
>    about security (who would not set the FollowSymLinks option for example)
>    should be concerned about allowing server-side includes in any form. With
>    Apache 0.8, Options IncludesNOEXEC (and Options Includes) will allow users
>    to link in any file on the machine into their documents. NCSA httpd
>    (and Apache 0.6 and earlier) only allow the inclusion of files that
>    the client could access anyway.

IMHO we should *NOT* permit Apache 1.0 to do stuff that NCSA 1.3R can't.  I
notice that 0.8.16 still doesn't treat file and virtual any
differently.  This is just plain br0ken.  Which patch went in to fix
this, I thought David R had had two bites at fixing this and got it
right the second time?  

Confused.

>  David.

Ay.


Mime
View raw message