You are viewing a plain text version of this content. The canonical link for it is here.
Posted to apache-bugdb@apache.org by Steven Champeon <sc...@hesketh.com> on 1997/04/28 21:30:03 UTC
Re: config/495: AddType application/x-javascript .js breaks
SSIs in IncludesNOEXEC dirs
The following reply was made to PR config/495; it has been noted by GNATS.
From: Steven Champeon <sc...@hesketh.com>
To: Dean Gaudet <dg...@arctic.org>
Subject: Re: config/495: AddType application/x-javascript .js breaks
SSIs in IncludesNOEXEC dirs
Date: Mon, 28 Apr 1997 15:27:40 -0400
At 11:41 AM 4/28/97 -0700, Dean Gaudet graced us with:
> The current behaviour sounds correct to me. Don't name your SSIs with a
> .js... if you want them to be called something other than .html you could
> try .htmlf (html fragment) and "AddType text/html htmlf". We open up lots
> of potential problems by changing this.
Normally, I use ".inc" for "INClude". That's what I had to go back to.
I'm just sort of baffled as to why a file type without an appropriate
handler is being rejected for inclusion by an SSI due to the *potential*
for execution. I don't want to open up an asp. style hole in things,
I just want to be able to name my file fragments so I can distinguish
between them on disk. :)
Besides, a file without a registered ext should default to whatever the
deafult MIME type is set to, right? So I shouldn't have to AddType for
some random file fragment.
Let me make sure I have the order right.
1) check MIME type of "random.js" using mime.types or AddType configs
2) check server config
3) check per-dir config
4) reject due to potential for execution
Where would a handler check go in this sequence?
Steve
--
Steven Champeon | Negative forces have value.
http://www.hesketh.com/schampeo | - Henry Adams