Message-ID: <33EE2845.4AF881E8@algroup.co.uk>
Date: Sun, 10 Aug 1997 21:44:53 +0100
From: Ben Laurie <ben@algroup.co.uk>
Organization: A.L. Digital Ltd.
MIME-Version: 1.0
To: new-httpd@apache.org
Subject: Re: apachen Configure
References: <199708102033.QAA28801@devsys.jaguNET.com>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
Sender: new-httpd-owner@apache.org
Precedence: bulk
Reply-To: new-httpd@apache.org

Jim Jagielski wrote:
> 
> Anyone else a bit nervous about the format in apachen that all
> lines between ConfigStart and ConfigEnd are implicitely trusted?
> After all, these are run by and as the person running Configure
> and are not limited to Configure-type stuff...??

Hold on - the guy compiling the module is already doing something far
more dangerous - admitting C that will run on their system. Caveat
emptor.

I wouldn't worry about it. Might be worth giving prominent notice that
modules can do things at Configure-time, though. Don't just compile it,
and _then_ see if it scares you!

OTOH, you could do something like "mod_dbm.c wants me to run this: ...,
should I or shouldn't I?".

Cheers,

Ben.

-- 
Ben Laurie            |Phone: +44 (181) 994 6435|Apache Group member
Freelance Consultant  |Fax:   +44 (181) 994 6472|http://www.apache.org
and Technical Director|Email: ben@algroup.co.uk |Apache-SSL author
A.L. Digital Ltd,     |http://www.algroup.co.uk/Apache-SSL
London, England.      |"Apache: TDG" http://www.ora.com/catalog/apache