httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Stefan Fritsch ...@sfritsch.de>
Subject Re: mod_include and ap_expr
Date Sun, 15 May 2011 11:22:38 GMT
On Sun, 15 May 2011, Graham Leggett wrote:
>> The mod_include expression parser tries hard to limit what can be done. For 
>> example, the subrequest operator -A can be switched of with a config 
>> option.
>
> If it makes your life easier to remove this config option please do - it was 
> only put there to make it possible to backport the -A option to v2.2 while 
> guaranteeing no existing configs could break. In v2.4 this option doesn't 
> make much sense.

So you implemented it more as a safeguard against confusion with "-A" 
strings in existing expressions than as a security measure? Do you think 
that untrusted shmtl files are not a common use case? In that case I would 
tend to the "people can always switch back to the old restricted 
expression syntax" solution.

Cheers,
Stefan


Mime
View raw message