httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <>
Subject frontpage 98 server extensions
Date Mon, 11 Aug 1997 06:19:07 GMT
Hehe.  fp98 betas are available now.  They say they don't support Apache
1.2; they support 1.1.3 and 2.0.  I wish all these people with 2.0 would
let us see a copy since it may speed it up a bit... 

Or is this just a part of Microsoft's hidden plot to take over Apache?

Hmm.  Looking through the source, they now provide a mod_frontpage.



Still playing with source:

-  char *filename;
+  char *execfilename;           /* physical filename to exec */
+  char *filename;               /* logical filename to exec -- always the same
+                                  except for FrontPage CGI programs where we
+                                  will execute the CGI program in /usr/local/fr
+                                */

They now add a key written to disk, presumably to authenticate 
that the server is actually the one talking to the setuid program.  I'm
not qualified to comment on the cryptographic validity of their
code except to say I don't like the looks of it.

They are using C++ comments in a C module.

They are now checking explicitly for frontpage-like CGI paths in their
filename translation handler and have hardcoded translations.  Guess this
means you don't need a copy of all their CGI crap for each user. 

They have a setuid binary that apparently checks to be sure it is
being called from Apache using their key file before switching UIDs.
No source.  I don't trust it.

Uses the following ScriptAliases:

    ScriptAlias /~/_vti_bin/ /~/_vti_bin/ 
    ScriptAlias /~/_vti_bin/_vti_aut/ /~/_vti_bin/_vti_aut/ 
    ScriptAlias /~/_vti_bin/_vti_adm/ /~/_vti_bin/_vti_adm/ 

MS says:

   The FrontPage Server Extensions do not require root access at any     

yea, they just need a program that they don't provide source for that is
setuid root. 

I may be taking a closer look at them later.  At first glance, they look
better than the old version but still darn scary...

View raw message