httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: IncludesNOEXEC and include virtual
Date Mon, 09 Jun 1997 03:08:58 GMT
Something is bogus here.  The manual:

          This command inserts the text of another document or file into 
          the parsed file. Any included file is subject to the usual    
          access control. If the directory containing the parsed file has
          the Option IncludesNOEXEC set, and the including the document  
          would cause a program to be executed, then it will not be      
          included; this prevents the execution of CGI scripts. Otherwise
          CGI scripts are invoked as normal using the complete URL given 
          in the command, including any query string.                 

However this is _not_ true.  The current code allows ScriptAliased
directories through (because the subrequest content type is null)
but not CGI scripts done with an AddHandler (because the content type
is not null and is not text/*).  

My feeling is that include virtual should be defined as doing nearly
exactly the same thing that a request for that page would; if it means
executing a CGI that would be executed if requested directly, do it
even if IncludesNOEXEC is set.

ISTR people always saying "use include virtual" whenever someone brought
up adding a new directive to allow for you to allow people to include
CGIs that are really CGIs but not any odd script...

On Sun, 8 Jun 1997, Marc Slemko wrote:

> With IncludesNOEXEC you can do an include virtual of a script in a
> ScriptAliased directory but not of a CGI script outside of one.
> Is that how it is supposed to be?  I would think it would be a good
> thing to allow execution of all CGI scripts that could otherwise be
> executed...

View raw message