httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Alvaro Martinez Echevarria <alvaro-ht...@lander.es>
Subject Re: [PATCH] again (might solve PR#2354)
Date Fri, 19 Jun 1998 22:30:40 GMT
On Fri, 19 Jun 1998, Ralf S. Engelschall wrote:

> When I remember correctly we don't _WANT_ to install these scripts correctly.
> The reason is that CGI scripts always lead to problems (not to say CERT
> messages ;-) in the past and thus it was wise to let the user "enable" them
> manually by fixing the permissions. Right?

The security concern would exist if fixing the permissions made
the CGIs work. But that is not the case: the default configuration
has the "ScriptAlias" directive commented out, so a simple "chmod +x"
won't let anybody use the CGIs. So where's the problem? It will
just make it easier for John Newuser. And if you really don't
_WANT_ to set the proper permissions, at least document it
somewhere, for example in the config: "CGIs without execution
permission won't work, and the test scripts are installed without
it".
But anyway, there's another change included in the patch that is
even less questionable: printenv has a weird "#!/usr/local/bin/perl"
as it first line, and this makes it fail on many systems: if you
access to it the server generates a "500 Internal server error"
and reports "Premature end of script headers" in the error log.
The patch changes this to substitute the real location of perl
for "/usr/local/bin/perl".
Regards.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-91-5562883        |
                                 |      Fax: +34-91-5563001        |
                                 `---------------------------------'


Mime
View raw message