httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Marc Slemko <ma...@worldgate.com>
Subject Re: Options & SSIs
Date Sun, 09 Nov 1997 21:41:54 GMT
I don't see any need for special code to allow enabling exec cgi without
exec cmd.  exec cgi is legacy.  Use include virtual instead.  It is
supposed to work in both Includes and IncludesNoExec, however right now it
only works for ScriptAliased directories.  I think that should be fixed
(there is a PR on it somewhere), but once it is I see no reason for adding
code to play with exec cgi. 

Where do you get the idea that ExecCGI allows "exec cgi"?


On Sun, 9 Nov 1997, Rodent of Unusual Size wrote:

>     Oh, bogus.  Tell me I'm misinterpreting this:
> 
>      o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
>      o "#exec cgi=" can be turned on with "Options ExecCGI".
>      o "Options IncludesNoExec" disables both "#exec cgi=" and
>        "#exec cmd=".
> 
>     In other words, there's no way to turn off shell-command execution
>     without turning off CGI execution as well.  And shell-command
>     execution is turned on by default if SSIs are.
> 
>     Personally, I consider CGIs marginally safer than arbitrary shell
>     commands, and I'd rather this situation were reversed.
> 
>     Of course, the waters are significantly muddied by "#include virtual".
> 
>     Yuk.
> 
>     Maybe breaking this into
> 
>      Options IncludesCGI
>      Options IncludesCMD
>      Options Includes
> 
>     Then
> 
>       Current			    New
>      Includes IncludesNoExec	== Includes
>      Includes ExecCGI		== Includes IncludesCGI
>      Includes			== Includes IncludesCGI IncludesCMD
>      (not currently possible)	== Includes IncludesCMD
> 
>     and allows CGI and shell-command execution to be independently
>     enabled/disabled.  This also has the advantage (IMHO) of
>     disambiguating the meaning of Options - right now some of the
>     keywords are enablers and some are disablers (IncludesNoExec). This
>     would make them all enablers.
> 
>     I need to look into how the Options keywords affect the "#include
>     virtual" stuff; I'm just thinking aloud (?) here..
> 
>     #ken    P-)}
> 


Mime
View raw message