httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Howard Fear <>
Subject Re: mod_include.c patches
Date Sun, 08 Dec 1996 06:54:54 GMT

Randy Terbush writes:
> Before rushing to commit the mod_include patches, can anyone
> come up with something Bad(tm) that could be done with the
> escaping ability?  That just raises a red flag for me, but
> can't really think of anything... (yet)

The addition only adds a backslash escape for the current tag's
termination character in an include directive.

1) People not using include's will see no difference.
2) People using includes will only see a difference if they
   ended a tag with a backslash:
      <!--#config errfmt="this will break\" -->
   What they will generally get is a garbled page - I know, I had one
   in my xssi test page.  As I said, this only effects people who
   throw backslashes around - which should be a small group I'd think.

In general, this change is small compared to the escape ability
added by the ssi extensions, which adds general escape ability within
a tag string - except for the terminating character.  In general,
people who are throw in backslashes will probably get bit by the
extensions anyway.

As for worse things, only in <!--# exec cmd=... -->, but nothing they
can't already do.

Howard Fear      email1:

View raw message