httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: Now that the shouting is over...
Date Sun, 06 Dec 1998 18:16:41 GMT


On Thu, 3 Dec 1998, Michael H. Voase wrote:

> /*
>  * We don't want people able to serve up pipes, or unix sockets, or
> other
>  * scary things.  Note that symlink tests are performed later.
>  */
> static int check_safe_file(request_rec *r)
> {
>     if (r->finfo.st_mode == 0         /* doesn't exist */
>         || S_ISDIR(r->finfo.st_mode)
>         || S_ISREG(r->finfo.st_mode)
>         || S_ISSOCK(r->finfo.st_mode)     <-- Hacked Line
>         || S_ISLNK(r->finfo.st_mode)) {
>         return OK;
>     }
> 
> The reason I have done this is that the socket is located
> by the URL . mod_cgisock the connects to the socket
> and transfers the environment variables then interacts
> with the socket in the same manner as cgi interacts
> with a script ( the code is much the same with a socket
> substituted ) .

Yeah, this is a bad idea on servers where you may not want users running
CGIs... or doing other silly things with sockets (such as locking up
httpds).  We couldn't really accept it into the standard distribution. 

You could use some other mapping from url to cgi socket name... 

Dean


Mime
View raw message