You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Lucid <lu...@secret.org> on 1996/06/13 19:34:21 UTC

Server Side Include security question...

I am using a CGI script to generate a nav bar
the catch is that I want the nav bar to change
based on what section the luser is in.

I want to server side include this into html

I hacked on mod_include.c and got it working...

does anyone have security concerns about 
adding something to SSI like

<!--#exec cgi="/cgi-bin/navbar.cgi" query="area=1" -->

or would something like

<!--#exec cgi="/cgi-bin/navbar.cgi?area=1" -->

be better?
Or is this a big security hole waiting to happen??
Ideas?

Bill Morris
memetic Design
BMorris@memetic.com
800-647-3597

Re: Server Side Include security question...

Posted by Brian Behlendorf <br...@organic.com>.

<!--#exec cgi="/cgi-bin/navbar.cgi?area=1" --> 

would better in my opinion - not that there is some SSI spec which we must
adhere to, but simply this seems to be the least different way of
performing this.  However, as I understand it, this isn't possible for
reasons of NCSA back compatibility, the NCSA 1.3 server would use the
QUERY_STRING and PATH_INFO of the document being called (i.e.
http://host/path/file.shtml/path_info?query_string) for whatever reason.
However, I'm pretty sure <!--#include virtual="/cgi-bin/navbar.cgi?area=1"
--> is the way to work around this.

Hmm, this should go in the FAQ.

	Brian

On Thu, 13 Jun 1996, Lucid wrote:
> I am using a CGI script to generate a nav bar
> the catch is that I want the nav bar to change
> based on what section the luser is in.
> 
> I want to server side include this into html
> 
> I hacked on mod_include.c and got it working...
> 
> does anyone have security concerns about 
> adding something to SSI like
> 
> <!--#exec cgi="/cgi-bin/navbar.cgi" query="area=1" -->
> 
> or would something like
> 
> <!--#exec cgi="/cgi-bin/navbar.cgi?area=1" -->
> 
> be better?
> Or is this a big security hole waiting to happen??
> Ideas?
> 
> Bill Morris
> memetic Design
> BMorris@memetic.com
> 800-647-3597
> 
> 

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com  www.apache.org  hyperreal.com  http://www.organic.com/JOBS