You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Lucid <lu...@secret.org> on 1996/06/13 19:34:21 UTC
Server Side Include security question...
I am using a CGI script to generate a nav bar
the catch is that I want the nav bar to change
based on what section the luser is in.
I want to server side include this into html
I hacked on mod_include.c and got it working...
does anyone have security concerns about
adding something to SSI like
<!--#exec cgi="/cgi-bin/navbar.cgi" query="area=1" -->
or would something like
<!--#exec cgi="/cgi-bin/navbar.cgi?area=1" -->
be better?
Or is this a big security hole waiting to happen??
Ideas?
Bill Morris
memetic Design
BMorris@memetic.com
800-647-3597
Re: Server Side Include security question...
Posted by Brian Behlendorf <br...@organic.com>.
<!--#exec cgi="/cgi-bin/navbar.cgi?area=1" -->
would better in my opinion - not that there is some SSI spec which we must
adhere to, but simply this seems to be the least different way of
performing this. However, as I understand it, this isn't possible for
reasons of NCSA back compatibility, the NCSA 1.3 server would use the
QUERY_STRING and PATH_INFO of the document being called (i.e.
http://host/path/file.shtml/path_info?query_string) for whatever reason.
However, I'm pretty sure <!--#include virtual="/cgi-bin/navbar.cgi?area=1"
--> is the way to work around this.
Hmm, this should go in the FAQ.
Brian
On Thu, 13 Jun 1996, Lucid wrote:
> I am using a CGI script to generate a nav bar
> the catch is that I want the nav bar to change
> based on what section the luser is in.
>
> I want to server side include this into html
>
> I hacked on mod_include.c and got it working...
>
> does anyone have security concerns about
> adding something to SSI like
>
> <!--#exec cgi="/cgi-bin/navbar.cgi" query="area=1" -->
>
> or would something like
>
> <!--#exec cgi="/cgi-bin/navbar.cgi?area=1" -->
>
> be better?
> Or is this a big security hole waiting to happen??
> Ideas?
>
> Bill Morris
> memetic Design
> BMorris@memetic.com
> 800-647-3597
>
>
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS