httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From (Rodent of Unusual Size)
Subject Re: Weak documentation on Module mod_include (fwd)
Date Tue, 27 May 1997 19:56:17 GMT
>From the fingers of Rob Hartill flowed the following:
>This looks worrying. Anyone setup to do a quick test of this ?

    Bear in mind that he's talking 1.1.  As I recall, there have been
    quite a few changes in this area for 1.2..  My systems aren't back
    yet, so I can't test this - and I don't think I have a 1.1 server
    running anyway.

>Date: Tue, 27 May 1997 21:02:47 +0200
>From: Peder Langlo <>
>     The exec command executes a given shell command or CGI script. The
>     IncludesNOEXEC Option disables this command completely. The valid
>     are: 
>     cmd 
>         The server will execute the given string using /bin/sh. The
>         variables are available to the command. 
>I can make cmd be executed in the document directory by saying "./cmd"
>but not "cmd". Also, it will not be run in /bin/sh if cmd has the
>"#!path-to-shell" in the first line.

    If he means that this works even if IncludesNoExec is set for the
    directory in question, yes it looks like a problem.  If he means
    that he needs to put "./" in front of the command, it looks like a
    simple invalid assumption (his) about the setting of PATH.

    /bin/sh will hand a script off appropriately according to the magic
    cookie.  It's still being started under /bin/sh's auspices, so
    that's not inaccurate.

    #ken    :-/}

View raw message