httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Brian Behlendorf <>
Subject Re: cvs commit: apache-1.3/src/modules/standard mod_rewrite.c
Date Fri, 22 May 1998 00:18:27 GMT
At 04:04 PM 5/21/98 -0700, Brian Behlendorf wrote:
>At 02:56 PM 5/21/98 -0700, Roy T. Fielding wrote:
>>>  Make sure a MIME-type can be forced via a RewriteRule even when no
>>>  substitution takes place, for instance via the following rule:
>>>       RewriteRule ^myscript$ - [T=application/x-httpd-cgi]
>>>  This was often requested by users (not only the submitter of the bug
>>>  in the past to force a single script without a .cgi extension and
>outside any
>>>  cgi-bin dirs to be executed as a CGI program.
>>This is only allowed in the main config files, right? Not .htaccess?
>>Otherwise it is a security hole.
>Hmm, this is true: even if Options ExecCGI is unset, the CGI script will
>be executed.

No, I'm sorry, my testing rig was messed up.  This is not the case.  Even
if a script is tagged "application/x-httpd-cgi" in a .htaccess file using
this mechanism, it will NOT be run if the ExecCGI option is not enabled.

Since your default configuration out-of-the-box does not have "ExecCGI"
enabled, it is an explicit decision by the configurator to enable it, and
thus to allow CGI scripts to be run.  So the only argument that it is a
security hole could be that the administrator did not set an addhandler or
addtype directive; yet a user can also override that if they can override
the "fileinfo" class of directives, which by the way RewriteRule is also
cloistered by.

I looked through our "security tips" document to make sure that was

>Ralf, for the time being I'm going to reverse your patch so we can roll a

Nope, not going to reverse it.  Sorry for the mistake.


pure chewing satisfaction                        

View raw message