You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1995/10/19 14:42:24 UTC
Re: Apache incompatibility
As I have understood and used it:
file="..." is a path (absolute or relative) to an included document.
virtual="..." uses DOCUMENTROOT for the active server and *must* begin
from the DOCUMENTROOT.
>From a security standpoint, I would prefer to preserve the functionality
above and perhaps restrict file="..." to be a file within the DOCUMENTROOT
filespace. Use of FollowSymlink etc. should be our controls of this
filespace.
> Just for the record, because I think it's not something that's terribly
> well documented in any doc I've ever seen, and I don't want to be further
> confused by other people's interpretations - What is the difference, as we
> understand it, between:
>
> #include file="....."
>
> and
> #include virtual="....."
>
> Suggestions:
>
> file "....." can be in SAME directory as including file
>
> file="local_header.html"
>
> "....." can be in subdirectories
>
> file="Way/Down/There/foo.html"
>
> "....." can NOT be anywhere else
>
> file="/This/Is/Just/Plain/r0ng.html"
> file="../../As/Is/thi5.html" <-- YOU NEED TO CHECK THIS TOO!
> IF WE'RE TO BE NCSA 1.3R
> COMPATIBLE
>
> virtual "....." can be anywhere in UNIX space eg:
>
> virtual="/etc/passwd"
>
> "....." can be anywhere in document space
>
> virtual="../../Admin/default_copyright.html"
>
>
> References:
>
> http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html
>
>
> SUMMARY
>
> It's still broken and this patch will hurt people ;)
>
> Cheers,
> Ay.