httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From KaiGai Kohei <>
Subject Re: [RFC] A new hook: invoke_handler and web-application security
Date Wed, 08 Apr 2009 03:07:26 GMT
Graham Dumpleton wrote:
> 2009/4/8 KaiGai Kohei <>:
>> Graham Dumpleton wrote:
>>> Explain first why using FASTCGI and suexec wouldn't be a better option?
>> Thease are limited to cgi applications, so we cannot apply such kind
>> of restriction on the built-in script languages and references on
>> static documents (like *.html).
> FASTCGI is not restricted to CGI applications. At least in the sense
> that FASTCGI allows persistent processes rather than one off processes
> like CGI. FASTCGI bindings are available for many different languages,
> including scripting languages, so what 'built-in script languages' are
> you talking about? The suexec mechanism comes into play as it allows
> FASTCGI processes to run as a different user than Apache process.

Hmm... I'll try to search for more details of features of FastCGI.

If you have a hint, could you tell for the questions currently I have?
IIRC, the CGI version of PHP cannot handle applications which write
out special HTTP headers, such as WWW-Authenticate: or Location:.
Is it possible to handle correctly in FastCGI?
I could not find FastCGI support for WebDav. Is it possible to control
accesses on files using SELinux?

OSS Platform Development Division, NEC
KaiGai Kohei <>

View raw message