httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Lucid <lu...@secret.org>
Subject Re: Server Side Include security question...
Date Thu, 13 Jun 1996 22:25:48 GMT
> 
> 
> <!--#exec cgi="/cgi-bin/navbar.cgi?area=1" --> 
> 
> would better in my opinion - not that there is some SSI spec which we must
> adhere to, but simply this seems to be the least different way of
> performing this.  However, as I understand it, this isn't possible for
> reasons of NCSA back compatibility, the NCSA 1.3 server would use the
> QUERY_STRING and PATH_INFO of the document being called (i.e.
> http://host/path/file.shtml/path_info?query_string) for whatever reason.
> However, I'm pretty sure <!--#include virtual="/cgi-bin/navbar.cgi?area=1"
> --> is the way to work around this.
> 
> Hmm, this should go in the FAQ.
> 
> 	Brian
> 

I was going to do just that except for
/* No hardwired path info or query allowed */
in the source... any way here is the patch that
makes <!--#exec cgi="/cgi-bin/navbar.cgi?area=1" --> work

Bill Morris
memetic Design
BMorris@memetic.com
800-647-3597


*** mod_include.c.old	Thu Jun 13 13:16:15 1996
--- mod_include.c	Thu Jun 13 18:01:19 1996
***************
*** 340,354 ****
      
      if (rr->status != 200) return -1;
      
!     /* No hardwired path info or query allowed */
      
!     if ((rr->path_info && rr->path_info[0]) || rr->args) return -1;
      if (rr->finfo.st_mode == 0) return -1;
  
      /* Script gets parameters of the *document*, for back compatibility */
      
      rr->path_info = r->path_info; /* painful to get right; see mod_cgi.c */
-     rr->args = r->args;
      
      /* Force sub_req to be treated as a CGI request, even if ordinary
       * typing rules would have called it something else.
--- 340,353 ----
      
      if (rr->status != 200) return -1;
      
!     /* No hardwired path info BUT query allowed  (bmorris@memetic.com) */
      
!     if (rr->path_info && rr->path_info[0]) return -1;
      if (rr->finfo.st_mode == 0) return -1;
  
      /* Script gets parameters of the *document*, for back compatibility */
      
      rr->path_info = r->path_info; /* painful to get right; see mod_cgi.c */
      
      /* Force sub_req to be treated as a CGI request, even if ordinary
       * typing rules would have called it something else.



Mime
View raw message