httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: Options & SSIs
Date Sun, 09 Nov 1997 21:44:39 GMT
See PR#697, it includes a patch that does this. 

Dean

On Sun, 9 Nov 1997, Rodent of Unusual Size wrote:

>     Oh, bogus.  Tell me I'm misinterpreting this:
> 
>      o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
>      o "#exec cgi=" can be turned on with "Options ExecCGI".
>      o "Options IncludesNoExec" disables both "#exec cgi=" and
>        "#exec cmd=".
> 
>     In other words, there's no way to turn off shell-command execution
>     without turning off CGI execution as well.  And shell-command
>     execution is turned on by default if SSIs are.
> 
>     Personally, I consider CGIs marginally safer than arbitrary shell
>     commands, and I'd rather this situation were reversed.
> 
>     Of course, the waters are significantly muddied by "#include virtual".
> 
>     Yuk.
> 
>     Maybe breaking this into
> 
>      Options IncludesCGI
>      Options IncludesCMD
>      Options Includes
> 
>     Then
> 
>       Current			    New
>      Includes IncludesNoExec	== Includes
>      Includes ExecCGI		== Includes IncludesCGI
>      Includes			== Includes IncludesCGI IncludesCMD
>      (not currently possible)	== Includes IncludesCMD
> 
>     and allows CGI and shell-command execution to be independently
>     enabled/disabled.  This also has the advantage (IMHO) of
>     disambiguating the meaning of Options - right now some of the
>     keywords are enablers and some are disablers (IncludesNoExec). This
>     would make them all enablers.
> 
>     I need to look into how the Options keywords affect the "#include
>     virtual" stuff; I'm just thinking aloud (?) here..
> 
>     #ken    P-)}
> 


Mime
View raw message