httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jeff Trawick <>
Subject Re: Includes vs IncludesNoExec security issue - help needed
Date Thu, 23 Apr 2009 14:11:22 GMT
On Thu, Apr 23, 2009 at 8:31 AM, Joe Orton <> wrote:

> These are fixable but one question is left on how a particular
> combination of Includes and IncludesNoExec is interpreted:
> - if httpd.conf has "Options Includes", and an .htaccess file has
>   "Options +IncludesNoExec" - should exec= be permitted in an SSI?

I don't think so; .htaccess is an override of httpd.conf (admittedly, that's
a bit squirrel-y with Includes vs. IncludesNoExec ;) )

It is useful to be able to turn off Exec in .htaccess.  Currently, either of
these in .htaccess will override Options Include in httpd.conf:

a. Options -Includes +IncludesNoExec
b. Options +IncludesNoExec

I have no guess on the relative use; I would prefer not breaking either.

View raw message