You are viewing a plain text version of this content. The canonical link for it is here.
Posted to cvs@httpd.apache.org by rb...@apache.org on 2003/11/17 02:33:11 UTC
cvs commit: httpd-2.0/docs/conf httpd-win.conf
rbowen 2003/11/16 17:33:11
Modified: docs/conf httpd-win.conf
Log:
Unless anyone strenuously objects, I'm adding back the comments
regarding ScriptInterpreterSource. We're getting an increasing number of
questions about this.
Revision Changes Path
1.100 +38 -0 httpd-2.0/docs/conf/httpd-win.conf
Index: httpd-win.conf
===================================================================
RCS file: /home/cvs/httpd-2.0/docs/conf/httpd-win.conf,v
retrieving revision 1.99
retrieving revision 1.100
diff -u -r1.99 -r1.100
--- httpd-win.conf 11 Oct 2003 02:08:33 -0000 1.99
+++ httpd-win.conf 17 Nov 2003 01:33:11 -0000 1.100
@@ -470,6 +470,44 @@
#
ServerSignature On
+#
+# Apache parses all CGI scripts for the shebang line by default.
+# This comment line, the first line of the script, consists of the symbols
+# pound (#) and exclamation (!) followed by the path of the program that
+# can execute this specific script. For a perl script, with perl.exe in
+# the C:\Program Files\Perl directory, the shebang line should be:
+
+ #!c:/program files/perl/perl
+
+# Note you _must_not_ indent the actual shebang line, and it must be the
+# first line of the file. Of course, CGI processing must be enabled by
+# the appropriate ScriptAlias or Options ExecCGI directives for the files
+# or directory in question.
+#
+# However, Apache on Windows allows either the Unix behavior above, or can
+# use the Registry to match files by extention. The command to execute
+# a file of this type is retrieved from the registry by the same method as
+# the Windows Explorer would use to handle double-clicking on a file.
+# These script actions can be configured from the Windows Explorer View menu,
+# 'Folder Options', and reviewing the 'File Types' tab. Clicking the Edit
+# button allows you to modify the Actions, of which Apache 1.3 attempts to
+# perform the 'Open' Action, and failing that it will try the shebang line.
+# This behavior is subject to change in Apache release 2.0.
+#
+# Each mechanism has it's own specific security weaknesses, from the means
+# to run a program you didn't intend the website owner to invoke, and the
+# best method is a matter of great debate.
+#
+# To enable the this Windows specific behavior (and therefore -disable- the
+# equivilant Unix behavior), uncomment the following directive:
+#
+#ScriptInterpreterSource registry
+#
+# The directive above can be placed in individual <Directory> blocks or the
+# .htaccess file, with either the 'registry' (Windows behavior) or 'script'
+# (Unix behavior) option, and will override this server default option.
+#
+
#
# Aliases: Add here as many aliases as you need (with no limit). The format is
# Alias fakename realname
Re[2]: cvs commit: httpd-2.0/docs/conf httpd-win.conf
Posted by "William A. Rowe, Jr." <wr...@apache.org>.
At 01:20 PM 11/22/2003, Rich Bowen wrote:
>> >> * rbowen@apache.org wrote:
>> >> > Unless anyone strenuously objects, I'm adding back the comments
>> >> > regarding ScriptInterpreterSource. We're getting an increasing number of
>> >> > questions about this.
>
>OK, thanks. All comments noted. I'll roll back this change and think
>about what the alternate would be. We need to do something about what
>is, apparently, a growing source of confusion as more and more folks are
>using Apache on Windows.
I'm afraid I agree - perhaps we need to create a doc to help users understand
how to create ExecCGI entries that encourages folks to use registry-strict.
When I introduced the feature, more and more users were tripping over .txt
and other obtuse files with script mappings (e.g. in cgi-bin etc.)
If you think about it, only perl, python etc are reasonable entries already
in the registry, the user is taking some action above and beyond those few
to create Open associations. If they can create an Open association, they
can create an ExecCGI verb as well. So the doc can probably be limited
to the examples of ActiveState's perl and python distribution which are most
commonly used.
Bill
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re[2]: cvs commit: httpd-2.0/docs/conf httpd-win.conf
Posted by Rich Bowen <rb...@rcbowen.com>.
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
> >> * rbowen@apache.org wrote:
> >> > Unless anyone strenuously objects, I'm adding back the comments
> >> > regarding ScriptInterpreterSource. We're getting an increasing number of
> >> > questions about this.
OK, thanks. All comments noted. I'll roll back this change and think
about what the alternate would be. We need to do something about what
is, apparently, a growing source of confusion as more and more folks are
using Apache on Windows.
- --
Rich Bowen - rbowen@RCBowen.com
Apache Administrators Handbook - http://apacheadmin.com/
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.7 (GNU/Linux)
iD8DBQE/v7bnXP03+sx4yJMRAjEjAKCcCsYHJ13/EHw8+xwFNxxNVebp8ACg27dS
nno4xOacxqS6ASuUA7ffrw0=
=3+ua
-----END PGP SIGNATURE-----
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re[2]: cvs commit: httpd-2.0/docs/conf httpd-win.conf
Posted by Astrid Keßler <ke...@kess-net.de>.
> On Mon, 17 Nov 2003, [ISO-8859-15] André Malo wrote:
>> * rbowen@apache.org wrote:
>>
>> > Unless anyone strenuously objects, I'm adding back the comments
>> > regarding ScriptInterpreterSource. We're getting an increasing number of
>> > questions about this.
>>
>> I'm -0 on it, because using ScriptInterpretersource registry without further
>> explanation of the flaws is dangerous. Using ScriptInterpreterSource
>> registry-strict without knowing what it does is silly.
>> However, let us document it better and just refer to the docs, if at all.
>> Second objection is: The httpd.conf may not become a doc replacement. It
>> disturbes me a bit, that (a) people get such a big default config which gives
>> wrong impressions about how to use the apache. ("complex", <IfModule over all
>> and everywhere etc.).
> I agree on all nd's points.
> Including a URL to the ScriptInterpreterSource docs would certainly be
> appropriate, as would be adding a section to this doc discussing the cgi
> issue:
> http://httpd.apache.org/docs-2.0/platform/windows.html
> Most of what you just put in the comments could go verbatim into a new
> section of windows.html. (But, of course, we shouldn't be recommending
> "registry" for most users.)
There is nothing more to say. I fully agree to all comments from nd and
Joshua. I would be glad to have only short comments within the default
httpd.conf with hints to the documentation. And I also won't suggest
ScriptInterpreterSource registry by default. Users should really have
read the documentation at this point before they use this setting.
Kess
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/conf httpd-win.conf
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, 17 Nov 2003, [ISO-8859-15] André Malo wrote:
> * rbowen@apache.org wrote:
>
> > Unless anyone strenuously objects, I'm adding back the comments
> > regarding ScriptInterpreterSource. We're getting an increasing number of
> > questions about this.
>
> I'm -0 on it, because using ScriptInterpretersource registry without further
> explanation of the flaws is dangerous. Using ScriptInterpreterSource
> registry-strict without knowing what it does is silly.
> However, let us document it better and just refer to the docs, if at all.
> Second objection is: The httpd.conf may not become a doc replacement. It
> disturbes me a bit, that (a) people get such a big default config which gives
> wrong impressions about how to use the apache. ("complex", <IfModule over all
> and everywhere etc.).
I agree on all nd's points.
Including a URL to the ScriptInterpreterSource docs would certainly be
appropriate, as would be adding a section to this doc discussing the cgi
issue:
http://httpd.apache.org/docs-2.0/platform/windows.html
Most of what you just put in the comments could go verbatim into a new
section of windows.html. (But, of course, we shouldn't be recommending
"registry" for most users.)
Joshua.
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/conf httpd-win.conf
Posted by Joshua Slive <jo...@slive.ca>.
On Mon, 17 Nov 2003, [ISO-8859-15] André Malo wrote:
> * rbowen@apache.org wrote:
>
> > Unless anyone strenuously objects, I'm adding back the comments
> > regarding ScriptInterpreterSource. We're getting an increasing number of
> > questions about this.
>
> I'm -0 on it, because using ScriptInterpretersource registry without further
> explanation of the flaws is dangerous. Using ScriptInterpreterSource
> registry-strict without knowing what it does is silly.
> However, let us document it better and just refer to the docs, if at all.
> Second objection is: The httpd.conf may not become a doc replacement. It
> disturbes me a bit, that (a) people get such a big default config which gives
> wrong impressions about how to use the apache. ("complex", <IfModule over all
> and everywhere etc.).
I agree on all nd's points.
Including a URL to the ScriptInterpreterSource docs would certainly be
appropriate, as would be adding a section to this doc discussing the cgi
issue:
http://httpd.apache.org/docs-2.0/platform/windows.html
Most of what you just put in the comments could go verbatim into a new
section of windows.html. (But, of course, we shouldn't be recommending
"registry" for most users.)
Joshua.
Re: cvs commit: httpd-2.0/docs/conf httpd-win.conf
Posted by André Malo <nd...@perlig.de>.
* rbowen@apache.org wrote:
> Unless anyone strenuously objects, I'm adding back the comments
> regarding ScriptInterpreterSource. We're getting an increasing number of
> questions about this.
I'm -0 on it, because using ScriptInterpretersource registry without further
explanation of the flaws is dangerous. Using ScriptInterpreterSource
registry-strict without knowing what it does is silly.
However, let us document it better and just refer to the docs, if at all.
Second objection is: The httpd.conf may not become a doc replacement. It
disturbes me a bit, that (a) people get such a big default config which gives
wrong impressions about how to use the apache. ("complex", <IfModule over all
and everywhere etc.).
YMMV. nd
---------------------------------------------------------------------
To unsubscribe, e-mail: docs-unsubscribe@httpd.apache.org
For additional commands, e-mail: docs-help@httpd.apache.org
Re: cvs commit: httpd-2.0/docs/conf httpd-win.conf
Posted by André Malo <nd...@perlig.de>.
* rbowen@apache.org wrote:
> Unless anyone strenuously objects, I'm adding back the comments
> regarding ScriptInterpreterSource. We're getting an increasing number of
> questions about this.
I'm -0 on it, because using ScriptInterpretersource registry without further
explanation of the flaws is dangerous. Using ScriptInterpreterSource
registry-strict without knowing what it does is silly.
However, let us document it better and just refer to the docs, if at all.
Second objection is: The httpd.conf may not become a doc replacement. It
disturbes me a bit, that (a) people get such a big default config which gives
wrong impressions about how to use the apache. ("complex", <IfModule over all
and everywhere etc.).
YMMV. nd