httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From C...@PROCESS.COM (Rodent of Unusual Size)
Subject Options & SSIs
Date Thu, 01 Jan 1970 00:00:00 GMT
    Oh, bogus.  Tell me I'm misinterpreting this:

     o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
     o "#exec cgi=" can be turned on with "Options ExecCGI".
     o "Options IncludesNoExec" disables both "#exec cgi=" and
       "#exec cmd=".

    In other words, there's no way to turn off shell-command execution
    without turning off CGI execution as well.  And shell-command
    execution is turned on by default if SSIs are.

    Personally, I consider CGIs marginally safer than arbitrary shell
    commands, and I'd rather this situation were reversed.

    Of course, the waters are significantly muddied by "#include virtual".

    Yuk.

    Maybe breaking this into

     Options IncludesCGI
     Options IncludesCMD
     Options Includes

    Then

      Current			    New
     Includes IncludesNoExec	== Includes
     Includes ExecCGI		== Includes IncludesCGI
     Includes			== Includes IncludesCGI IncludesCMD
     (not currently possible)	== Includes IncludesCMD

    and allows CGI and shell-command execution to be independently
    enabled/disabled.  This also has the advantage (IMHO) of
    disambiguating the meaning of Options - right now some of the
    keywords are enablers and some are disablers (IncludesNoExec). This
    would make them all enablers.

    I need to look into how the Options keywords affect the "#include
    virtual" stuff; I'm just thinking aloud (?) here..

    #ken    P-)}

Mime
View raw message