httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject Re: IncludesNOEXEC and include virtual
Date Mon, 09 Jun 1997 04:23:45 GMT
Hmm, looking back over the list archives it appears that this was dicussed
(back in '95 even... with Rob M. still around) but no decision was made.

robh didn't like IncludesNOEXEC allowing inclusion of CGIs, 

Brian did and vetoed a proposed IncludesYESCGINOCMD or something like that
because he thought IncludesNOEXEC should allow CGIs.

Roy didn't like changing IncludesNOEXEC and liked adding another directive
(IncludesNoExecCMD) to just disable exec.

This is back in the days of v0.6...

Right now it behaves neither way, allowing some and disallowing all.
Unless someone can propose a security problem, my vote is for allowing
include virtual to execute CGIs that would be executed anyway.

It already does so for ScriptAliased directories, just AddHandlered
scripts that it doesn't.

On Sun, 8 Jun 1997, Marc Slemko wrote:

> On Sun, 8 Jun 1997, Alexei Kosut wrote:
> > On Sun, 8 Jun 1997, Marc Slemko wrote:
> > 
> > > With IncludesNOEXEC you can do an include virtual of a script in a
> > > ScriptAliased directory but not of a CGI script outside of one.
> > > 
> > > Is that how it is supposed to be?  I would think it would be a good
> > > thing to allow execution of all CGI scripts that could otherwise be
> > > executed...
> > 
> > If that's true (and I haven't tried it yet), it's defenitely a bug;
> > Includes vs. IncludesNoExec should have absolutely no impact on
> > include virtual.
> It is due to this bit of code in mod_include:
>             if (!error_fmt && noexec && rr->content_type
>                 && (strncmp (rr->content_type, "text/", 5))) {
>                 error_fmt =
>                   "unable to include potential exec %s in parsed file %s";
>             }
> This code tries to play it safe by not allowing anything other than text/*
> files to be included in a noexec.  Is that whole statement bogus?  It does
> nothing for exec cgi because that is handled by a different subroutine,
> and if something can get through a sub_req_lookup_* wouldn't it be allowed
> to happen anyway?  ie. any execution that shouldn't happen would be denied
> by the normal methods.
> The only reason I can see for that being there is paranoia (perhaps
> justified...) over sub requests being broken.

View raw message