httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric Covener <cove...@gmail.com>
Subject Re: Includes vs IncludesNoExec security issue - help needed
Date Thu, 23 Apr 2009 13:04:28 GMT
On Thu, Apr 23, 2009 at 8:31 AM, Joe Orton <jorton@redhat.com> wrote:
> - if httpd.conf has "Options Includes", and an .htaccess file has
>   "Options +IncludesNoExec" - should exec= be permitted in an SSI?

My (soft) preference would be exec= permitted and doc tweak to match
the notion of what Includes + IncludesNoExec means

-     Server-side includes are permitted, but the #exec cmd and #exec
cgi are disabled. It is still possible to #include virtual CGI scripts
from ScriptAliased directories.
+    Server-side includes, except those using #exec cmd|cgi, are
permitted. It is still possible to #include virtual CGI scripts from
ScriptAliased directories.  No net effect if enabled in the same
context as Includes.

Then this config snippet in htaccess means "make sure I've got at
least IncludesNoExec in this context, without clobbering other
subdirectories" vs. the flavors without any +/- or ones that zap
Includes explicitly with a "-".

-- 
Eric Covener
covener@gmail.com

Mime
View raw message