Return-Path: Delivered-To: new-httpd-archive@hyperreal.org Received: (qmail 16157 invoked by uid 6000); 9 Nov 1997 21:36:52 -0000 Received: (qmail 16022 invoked from network); 9 Nov 1997 21:36:49 -0000 Received: from alcor.process.com (192.42.95.16) by taz.hyperreal.org with SMTP; 9 Nov 1997 21:36:49 -0000 Date: Sun, 9 Nov 1997 16:36 -0400 From: COAR@PROCESS.COM (Rodent of Unusual Size) Message-Id: <009BD0B6085BE589.59B0@PROCESS.COM> To: New-HTTPd@Apache.Org Subject: Options & SSIs X-VMS-To: NH X-VMS-Cc: COAR Sender: new-httpd-owner@apache.org Precedence: bulk Reply-To: new-httpd@apache.org Oh, bogus. Tell me I'm misinterpreting this: o "Options Includes" enables "#exec cmd=" but not "#exec cgi=". o "#exec cgi=" can be turned on with "Options ExecCGI". o "Options IncludesNoExec" disables both "#exec cgi=" and "#exec cmd=". In other words, there's no way to turn off shell-command execution without turning off CGI execution as well. And shell-command execution is turned on by default if SSIs are. Personally, I consider CGIs marginally safer than arbitrary shell commands, and I'd rather this situation were reversed. Of course, the waters are significantly muddied by "#include virtual". Yuk. Maybe breaking this into Options IncludesCGI Options IncludesCMD Options Includes Then Current New Includes IncludesNoExec == Includes Includes ExecCGI == Includes IncludesCGI Includes == Includes IncludesCGI IncludesCMD (not currently possible) == Includes IncludesCMD and allows CGI and shell-command execution to be independently enabled/disabled. This also has the advantage (IMHO) of disambiguating the meaning of Options - right now some of the keywords are enablers and some are disablers (IncludesNoExec). This would make them all enablers. I need to look into how the Options keywords affect the "#include virtual" stuff; I'm just thinking aloud (?) here.. #ken P-)}