httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <br...@organic.com>
Subject Re: nph- deprecation
Date Fri, 10 Jan 1997 08:37:48 GMT
On Wed, 8 Jan 1997 sameer@c2.net wrote:
> 1) an option to disable nph: NphDisable
> 	I do think #1 is worth going into the beta, because it is a
> security thing. 

Hmm... what about instead, closing the fd to stdin to the nph script after the
script starts outputting data?  That way the nph script can't answer a second
kept-alive request and start spoofing things.  Will that work?  I'd +1 that as
a security fix for 1.2.  Disabling NPH scripts isn't enough for 1.2 imho.

> 2) making my unbuffered cgi patch a "supported patch"

+1.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS


Mime
View raw message