httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Simon Huggins <hug...@earth.li>
Subject Re: [PATCH] mod_include 1.3.x - limiting EXEC to a certain directory
Date Wed, 16 Feb 2000 21:59:27 GMT
Discussing this further with Marc Slemko (off list):

On Tue, Feb 15, 2000 at 04:35:54PM -0700, Marc Slemko wrote:
> > > > > > When I try to do:
> > > > > > <p>Text: <!--#include virtual="/include/counter.pl"-->
> > > > > > I get:
> > > > > > Feb 14 01:10:21 2000] [error] [client 192.168.0.7] unable to
include potential exec "/include/counter.pl" in parsed file /home/www/web.blackcatnetworks.co.uk/test.x/counter.shtml
> > > Try using something without a .pl, .cgi, etc. extension.  eg. counter
> > > or counter.foo, etc.
> > Yes,  counter instead of counter.pl works.

So it seems that anything that ends in .pl is not allowed by
IncludesNOEXEC *BUT* that anything that doesn't *IS* allowed if it's in
a ScriptAlias'd directory.

> > Why is this and what needs fixing to make this behaviour consistent?
> Because it is broken.  There is a check in the include virtual code to
> make sure there is ho handler set or something.  I think that there is
> no reason for that, as long as we define IncludesNOEXEC as not
> allowing any CGIs to be executed that wouldn't be executed anyway.  I
> think that is reasonable to do, so it is just a matter of verifying
> that removing that check isn't problematic and doing it.  There is at
> least one ancient PR about this, probably with some technical info in.

Um, except I can't trace this through properly.  Whilst I'm sure the
people on the list will be able to.  Hence this message.

> > (should this migrate back to new-httpd?)
> Yes.

I apologuise if the quoting is not clear but I've deleted irrelevant
stuff.

Any volunteers to either:
	* demystify me as to what needs changing.
	* patch it so it does The Right Thing (whatever that is decided
	  to be)


Simon.
-- 
[ "Cerulean is a gentle breeze..." - Pusher                            ]
        Black Cat Networks.  http://www.blackcatnetworks.co.uk/

Mime
View raw message