www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Todd Vierling ...@pobox.com>
Subject Re: mod_include/3500: mod_include unconditionally disallows parent directories
Date Fri, 11 Dec 1998 20:20:00 GMT
The following reply was made to PR mod_include/3500; it has been noted by GNATS.

From: Todd Vierling <tv@pobox.com>
To: apbugs@hyperreal.org
Cc:  Subject: Re: mod_include/3500: mod_include unconditionally disallows parent
Date: Fri, 11 Dec 1998 15:11:36 -0500 (EST)

 : State-Changed-From-To: open-closed
 : State-Changed-By: marc
 : State-Changed-When: Mon Dec  7 11:27:34 PST 1998
 : State-Changed-Why:
 : include file is not really recommended and has this limitation
 : on purpose.
 I expected this answer.  Before I resubmit the PR, I'll offer a full
 explanation and hope someone will see this addendum.
 If I want to do so, if IncludesNOEXEC is not set, I can <!--#exec
 cmd="/bin/cat /etc/passwd"--> just as easily as I could #include the file.
 So, this isn't a justification for disallowing access to arbitrary files.  I
 *want* #include file="" to work for parent directories and arbitrary files
 wien the permissions are there, to avoid the extra overhead implied by
 #include virtual="".  What the PR-closing comment didn't say is *why* that
 should be disallowed even for the `Includes' (with exec) case.
 In any case, Apache as packaged by the NetBSD pkgsrc system does not have
 this restriction.
 -- Todd Vierling (Personal tv@pobox.com; Bus. todd_vierling@xn.xerox.com)

View raw message