httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jim Jagielski <>
Subject Re: doc patches for symlinked logfile warnings
Date Sun, 05 Jan 1997 14:31:26 GMT
Marc Slemko wrote:
> I think that saying "we provide an API and whatever wrappers people send
> us; all we are responsible for is the wrapper" is simply shifting the
> blame.  Like it or not, no matter what disclaimer you put there if you
> include something in the apache distribution there is some sort of
> implication that it works in some way and that it has some association
> with Apache.  I really think we should make suexec secure (but, at least
> for now, minimalist), support it, and include pointers to any other
> scripts that people submit.  I don't think that just providing an API and
> a whole mess of unsupported scripts is a good solution.

My point is that Apache already allows for cgi-scripts to be run. In
doing so, we "allow" for wrappers if the webmaster so desires but
we also "allow" for them to be totally braindead as well. To me,
this seems all that Apache should really be worrying about. Once we
start focusing on also providing "secure" ways of doing scripts, we
are biting off more than required by a server. It also opens us up
to nasty CERT notices, which can't be good. Right now, if some
uses the wrapper 'wideopen' with Apache, and 'wideopen' has a nasty
bug, it's the wrapper that gets the ticket, not Apache.

I think the only thing Apache really should be worried about _is_
the API. One good reason of course is that it _does_ shift the
blame, but another is that it allows for 3rd parties who might
be much more up-to-speed to fill the gap.

Think of the wrapper as a module almost... we provide the API for
modules, but we don't write modules for every situation. If we want
to include a wrapper as unsupported, well, but like it or not,
suexec is seen as the "official" way to wrap cgi-scripts. I think
our responsibility should be to focus on an API primarily.

      Jim Jagielski            |       jaguNET Access Services           |
                  "Not the Craw... the CRAW!"

View raw message