Received: (from majordom@localhost) by hyperreal.com (8.8.5/8.8.5) id OAA10078; Tue, 27 May 1997 14:07:57 -0700 (PDT) Received: from Secret ([198.115.140.5]) by hyperreal.com (8.8.5/8.8.5) with SMTP id OAA10073 for ; Tue, 27 May 1997 14:07:52 -0700 (PDT) Date: Tue, 27 May 1997 15:56:17 -0400 Message-Id: <97052715561735@decus.org> From: coar@decus.org (Rodent of Unusual Size) To: New-HTTPd@apache.org, Coar@decus.org Subject: Re: Weak documentation on Module mod_include (fwd) X-VMS-To: SMTP%"New-HTTPd@Apache.Org" X-VMS-Cc: COAR Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org >From the fingers of Rob Hartill flowed the following: > >This looks worrying. Anyone setup to do a quick test of this ? Bear in mind that he's talking 1.1. As I recall, there have been quite a few changes in this area for 1.2.. My systems aren't back yet, so I can't test this - and I don't think I have a 1.1 server running anyway. >Date: Tue, 27 May 1997 21:02:47 +0200 >From: Peder Langlo > >In http://www.apache.org/docs/mod/mod_include.html: > >exec > The exec command executes a given shell command or CGI script. The > IncludesNOEXEC Option disables this command completely. The valid >attributes > are: >. >. >. > cmd > The server will execute the given string using /bin/sh. The >include > variables are available to the command. > >-- >I can make cmd be executed in the document directory by saying "./cmd" >but not "cmd". Also, it will not be run in /bin/sh if cmd has the >"#!path-to-shell" in the first line. If he means that this works even if IncludesNoExec is set for the directory in question, yes it looks like a problem. If he means that he needs to put "./" in front of the command, it looks like a simple invalid assumption (his) about the setting of PATH. /bin/sh will hand a script off appropriately according to the magic cookie. It's still being started under /bin/sh's auspices, so that's not inaccurate. #ken :-/}