httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rob Hartill <r...@imdb.com>
Subject WWW Form Bug Report: "Server-side Includes shouldn't allow Unix execution" on OTHER:all (fwd)
Date Fri, 18 Oct 1996 18:36:28 GMT

acked.

This requests is almost as old as Apache itself.



----- Forwarded message from jason@oit.co.uk -----

Message-Id: <199610181649.JAA02566@taz.hyperreal.com>
From: jason@oit.co.uk
To: apache-bugs%apache.org@organic.com
Date: Fri Oct 18  9:49:02 1996
Subject: WWW Form Bug Report: "Server-side Includes shouldn't allow Unix execution" on OTHER:all

Submitter: jason@oit.co.uk
Operating system: OTHER:all, version: 
Version of Apache Used: 1.1.1 - 1.2
Extra Modules used: 
URL exhibiting problem: 

Symptoms:
--

I'm concerned that Apache allows people to run Unix 
commands vs SSI. It's one thing to allow CGI hooks,
where (in our case) the Sysadmin has control over what
directories are capable of running CGIs, but Unix 
commands?!?! I'd love it if Apache could be configured 
to allow SSI CGIs but not Unix commands.

Here's a patch I use to disable this feature. What 
would be better would be making this a configuration 
option. Maybe IncludeNOUNIX?

diff -p mod_include.c mod_include.c.orig 
*** mod_include.c       Fri Oct 18 17:44:21 1996
--- mod_include.c.orig  Fri Oct 18 17:36:33 1996
*************** void include_cmd_child (void *arg)
*** 561,569 ****
  #endif    
      cleanup_for_exec();
      /* set shellcmd flag to pass arg to SHELL_PATH */
- #ifdef ALLOW_UNIX_EXEC
      call_exec(r, s, create_environment (r->pool, env), 1);
- #endif /* ALLOW_UNIX_EXEC */
      
      /* Oh, drat.  We're still here.  The log file descriptors are closed,
       * so we have to whimper a complaint onto stderr...
--- 561,567 ----


Mime
View raw message