httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <>
Subject Re: mod_cgissi
Date Sun, 03 Nov 1996 22:54:14 GMT
At 2:14 PM -0800 11/3/96, Brian Behlendorf wrote:
>So, our engineers here are screaming for a way to do SSI parsing on CGI
>They're not happy with the answer that Apache 2.0 will probably be able to do
>that; and they're happy to have a special-cased module which does this apart
>from mod_cgi and mod_include.  So, module-gurus out there: is there any reason
>why this should be incredibly difficult to do?  Any pointers or tips?

Other than the that the very idea makes me cringe...  Anyone is going to
have to excape almost 100% of their output... With that, you couldn't even
print out what the user typed in without checking it for characters that
would need to be protected.

I would hate to think that the apache group would ever distribute such a

Technically, I don't see any reason why it would be any more difficult than
doing it for regular files, but it would open such an unvelievably gaping
security hole.

Think about it, even standard things like the error page that says "please
contact the administrator of the referring url." What happens if the URL
they requested has a SSI embedded in it... Or any similar type of thing.
Outputting data from a CGI script should not be a security risk. Before,
all you would have to do is trust what you do with input as far as
exevuting commands. Even the basic test cgi that echo's the input would be
a security hole.

I'm not a voting member, but if I were I'd give even considering this one a
big negative vote.

There are plenty of tools out there for doing this sort of thing internal
to the cgi... Where it has to be called deliberately.

Just my two cents worth...

-- Nathan

Nathan Neulinger                  Univ. of Missouri - Rolla
EMail:                  Computing Services
WWW:      SysAdmin:

View raw message