httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: IncludesNOEXEC and include virtual
Date Mon, 09 Jun 1997 03:46:52 GMT
On Sun, 8 Jun 1997, Alexei Kosut wrote:

> On Sun, 8 Jun 1997, Marc Slemko wrote:
> 
> > With IncludesNOEXEC you can do an include virtual of a script in a
> > ScriptAliased directory but not of a CGI script outside of one.
> > 
> > Is that how it is supposed to be?  I would think it would be a good
> > thing to allow execution of all CGI scripts that could otherwise be
> > executed...
> 
> If that's true (and I haven't tried it yet), it's defenitely a bug;
> Includes vs. IncludesNoExec should have absolutely no impact on
> include virtual.


It is due to this bit of code in mod_include:

            if (!error_fmt && noexec && rr->content_type
                && (strncmp (rr->content_type, "text/", 5))) {
                error_fmt =
                  "unable to include potential exec %s in parsed file %s";
            }

This code tries to play it safe by not allowing anything other than text/*
files to be included in a noexec.  Is that whole statement bogus?  It does
nothing for exec cgi because that is handled by a different subroutine,
and if something can get through a sub_req_lookup_* wouldn't it be allowed
to happen anyway?  ie. any execution that shouldn't happen would be denied
by the normal methods.

The only reason I can see for that being there is paranoia (perhaps
justified...) over sub requests being broken.


Mime
View raw message