httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Date Thu, 21 May 1998 23:04:00 GMT
At 02:56 PM 5/21/98 -0700, Roy T. Fielding wrote:
>>  Make sure a MIME-type can be forced via a RewriteRule even when no
>>  substitution takes place, for instance via the following rule:
>>       RewriteRule ^myscript$ - [T=application/x-httpd-cgi]
>>  This was often requested by users (not only the submitter of the bug
>>  in the past to force a single script without a .cgi extension and
outside any
>>  cgi-bin dirs to be executed as a CGI program.
>This is only allowed in the main config files, right? Not .htaccess?
>Otherwise it is a security hole.

Hmm, this is true: even if Options ExecCGI is unset, the CGI script will
be executed.

Ralf, for the time being I'm going to reverse your patch so we can roll a
release.  The "right fix", it seems, is to decide which is the "absolute"
indicator of script security policy: is it "ExecCGI is set" or
is it "application/x-httpd-cgi is the MIME type"?  If the former we need to
modify mod_cgi.c; if the latter we need to prevent applications/x-httpd-cgi
from being able to be set in .htaccess files in mod_rewrite.  My strong
vote is for the former.


pure chewing satisfaction                        

View raw message