httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Roy T. Fielding" <field...@avron.ICS.UCI.EDU>
Subject Re: removal of cgi-bin and cgi-src
Date Tue, 23 Apr 1996 10:23:55 GMT
> Folks, we have a problem.  We do not consider the code we distribute in 
> the cgi-src and cgi-bin directories as supported Apache code.  This has 
> not been a conscious decision, but more a reflection of the fact that 
> very few of us actually use it or care about it.  Yet, it is being 
> bundled with our software, and when there is a security warning or 
> problem with the software, the chinese wall inside our heads is not 
> relevant.  So, I propose that we remove the cgi-bin and cgi-src 
> directories - optionally, we can add a text file pointing to the more 
> common CGI resources out there.  There are only three files we have added 
> to the cgi-src directory - animate.c (a server-push CGI script), count.c 
> (a server-side counter) and random.c (a random-URL generator).  Those 
> could either be packaged separately or pointed at elsewhere.  


At the very least (and I've mentioned this before), all programs must
be removed from cgi-bin and left non-executable in cgi-src.  Users
should never be encouraged to install a CGI script, and should only
be allowed to do so by conscious action.


View raw message