httpd-docs mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "William A. Rowe, Jr." <>
Subject Re: cvs commit: httpd-2.0/docs/manual/mod core.xml core.html.en
Date Wed, 09 Jul 2003 18:19:47 GMT
Just some quick extra comments for consideration (I'd write/commit
them myself, but I'm trying to catch up from an 8 day backlog of mail
and activity.)


At 05:38 PM 6/28/2003, wrote:
>kess        2003/06/28 15:38:16
>  Modified:    docs/manual/mod core.xml core.html.en
>  Log:
>  explain ScriptInterpreterSource a little bit more
>       <p>Setting <code>ScriptInterpreterSource Registry</code> will
>  -    cause the Windows Registry to be searched using the script file
>  -    extension (e.g., <code>.pl</code>) as a search key.</p>
>  +    cause the Windows Registry tree <code>HKEY_CLASSES_ROOT</code> to be
>  +    searched using the script file extension (e.g., <code>.pl</code>) as
>  +    search key. The command defined by the registry subkey
>  +    <code>Shell\Open\Command</code> is used to open the script file. In
>  +    of the file extension key or the <code>Shell\Open\Command</code> subkey
>  +    Apache uses the <code>Script</code> option.</p>

Alternately, the registry entry under HKCR\.pl might contain simply the name
of another file type, such as 'perlfile' as it's primary value.  In this case, Apache
follows that link to look at HKCR\perlfile\Shell\Open\Command.

Note that DDE invocation of files is not supported by Apache, these types
are indicated by a key HKCR\type\Shell\Open\DDEExec.

>  +
>  +    <note type="warning"><title>Security</title>
>  +      <p>Be careful to use <code>ScriptInterpreterSource Registry</code>

Are you certain you didn't mean to say "Be careful when using"... it sure sounds
like you are strongly warning the user to choose S.I.S. Registry.

>  +      <directive module="mod_alias">ScriptAlias</directive>'ed directories,
>  +      because Apache is trying to execute <strong>every</strong> file within
>  +      this directory. The <code>Registry</code> setting may cause undesired
>  +      program calls on files, which are usually not executed. For example, the
>  +      default open command on <code>.htm</code> files on most Windows systems
>  +      executing the Microsoft Internet Explorer, so any HTTP request for an
>  +      <code>.htm</code> file existing within the script directory would
>  +      the browser in background. This is an effective method to crash your
>  +      system within a minute or so.</p>
>  +    </note>
>       <p>The option <code>Registry-Strict</code> which is new in Apache
>  -    does the same as <code>Registry</code> but uses a more strict registry
>  -    search.</p>
>  +      does the same as <code>Registry</code> but uses the subkey
>  +      <code>Shell\ExecCGI\Command</code> instead.

Note that Registry will also look, first, for the ExecCGI 'verb' over the Open verb.

Registry-Strict prevents the server from falling back on the Open verb.

> The <code>ExecCGI</code> key
>  +      is not a common one. It has to be configured manually and prevents your
>  +      system from accidental program calls.</p>

E.g. if a .txt file is present in the ScriptAlias'ed directory, S.I.S. Registry
would open the document with a copy of notepad!  Using Registry-Strict,
the .txt file would not be served as a 'script'.  

>   </usage>
>   </directivesynopsis>

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message