www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Dean Gaudet <dgau...@arctic.org>
Subject Re: config/495: AddType application/x-javascript .js breaks SSIs in IncludesNOEXEC dirs
Date Mon, 28 Apr 1997 19:50:01 GMT
The following reply was made to PR config/495; it has been noted by GNATS.

From: Dean Gaudet <dgaudet@arctic.org>
To: Steven Champeon <schampeo@hesketh.com>
Subject: Re: config/495: AddType application/x-javascript .js breaks  SSIs in IncludesNOEXEC
Date: Mon, 28 Apr 1997 12:43:57 -0700 (PDT)

 It's not just the potential of execution, it's the potential of displaying
 the wrong type of content (like perhaps displaying the code to something
 instead of executing it, or including a gif).  Of course you're free to
 remove/modify the test for "text/" in mod_include.c.
 There is also no way within the apache API to ask the question "if I run
 this subrequest will it use the default_handler or some other handler?"
 (you can get a partial answer depending on the server configuration, but
 there's no way to get a full answer).  So IncludesNoExec really means "do
 not run any subrequests that have content-type other than text/*". 
 A file without a registered extension will have the default type, yep.  So
 you're right, you don't need to "AddType text/html htmlf" in my example if
 you DefaultType is something like text/plain.  However if you AddType it
 now then you won't have problems if someone else in the future decides to
 AddType it changing the content type. 
 On Mon, 28 Apr 1997, Steven Champeon wrote:
 > At 11:41 AM 4/28/97 -0700, Dean Gaudet graced us with:
 > > The current behaviour sounds correct to me.  Don't name your SSIs with a
 > > .js... if you want them to be called something other than .html you could
 > > try .htmlf (html fragment) and "AddType text/html htmlf".  We open up lots
 > > of potential problems by changing this.
 > Normally, I use ".inc" for "INClude". That's what I had to go back to. 
 > I'm just sort of baffled as to why a file type without an appropriate
 > handler is being rejected for inclusion by an SSI due to the *potential*
 > for execution. I don't want to open up an asp. style hole in things,
 > I just want to be able to name my file fragments so I can distinguish
 > between them on disk. :) 
 > Besides, a file without a registered ext should default to whatever the
 > deafult MIME type is set to, right? So I shouldn't have to AddType for
 > some random file fragment.
 > Let me make sure I have the order right. 
 >  1) check MIME type of "random.js" using mime.types or AddType configs
 >  2) check server config
 >  3) check per-dir config
 >  4) reject due to potential for execution
 > Where would a handler check go in this sequence?
 > Steve
 > --
 > Steven Champeon                 |    Negative forces have value.
 > http://www.hesketh.com/schampeo |          - Henry Adams 

View raw message