www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From dgau...@apache.org
Subject Re: mod_include/3759: Supporting CGI-variables created by POST for SSI
Date Wed, 21 Apr 1999 03:49:26 GMT
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]


Synopsis: Supporting CGI-variables created by POST for SSI

State-Changed-From-To: open-closed
State-Changed-By: dgaudet
State-Changed-When: Tue Apr 20 20:49:25 PDT 1999
State-Changed-Why:
Dude, you should be careful with this -- you've just opened
yourself up to some exploits.  I can request urls with
trailing ?DATE_LOCAL=blah&DOCUMENT_NAME=foo and your code
will overwrite the server's variables.

I'm also really concerned about adding this to apache in
general, since SSI provides very little way to verify the
validity of the arguments.  It could make it all too
easy/tempting for folks to write insecure web pages.  Using
something like mod_php or mod_perl seems much more appropriate.

Dean


Mime
View raw message