httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Callahan <jcall...@willamette.edu>
Subject [users@httpd] Bug in 1.3.x mod_include?
Date Wed, 23 Apr 2003 17:58:50 GMT

Hello fellow Apache Users:

I am trying to figure out how to do an SSI "include virtual" of a CGI
program without turning off IncludesNOEXEC.  The documentation seems to
imply that it will work, but the source code seems to think an "include
virtual" of any document not classed as "text" is a potential exec.

The documentation indicates the following:

  IncludesNOEXEC
     Server-side includes are permitted, but the #exec command and #exec
CGI are disabled.
     It is still possible to #include virtual CGI scripts from
ScriptAliase'd directories.

     Source: http://httpd.apache.org/docs/mod/core.html#options

However, the behavior is as follows:
     unable to include potential exec "/cgi-bin/test.cgi" in parsed file
/apache/htdocs/test.htm

I believe this is a result of the following code (starting @ line 688 of
mod_include.c)

            if (!error_fmt && noexec && rr->content_type
                && (strncmp(rr->content_type, "text/", 5))) {
                error_fmt = "unable to include potential exec \"%s\" "
                    "in parsed file %s";
            }

I find no code in mod_include.c that would exempt ScriptAliased areas
from this check.

I understand the logic of treating an "include file" directive of a CGI
program as potentially hostile, but why "include virtual"?  Isn't
"include virtual" just creating a subrequest to a URI that falls under
the normal rules of access?

Thanks for any insights!

John
--
John P. Callahan <jcallaha@willamette.edu>
Director, Network Services
Willamette University
900 State St, Salem OR, 97301
Phone: 503-375-5495 Fax: 503-375-5456




---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message