You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1995/10/19 14:42:24 UTC

Re: Apache incompatibility

As I have understood and used it:

file="..." is a path (absolute or relative) to an included document.
virtual="..." uses DOCUMENTROOT for the active server and *must* begin
from the DOCUMENTROOT.

>From a security standpoint, I would prefer to preserve the functionality
above and perhaps restrict file="..." to be a file within the DOCUMENTROOT
filespace.  Use of FollowSymlink etc. should be our controls of this
filespace.


> Just for the record, because I think it's not something that's terribly
> well documented in any doc I've ever seen, and I don't want to be further
> confused by other people's interpretations - What is the difference, as we
> understand it, between:
> 
> 	#include file="....."
> 
> and 
> 	#include virtual="....."
> 
> Suggestions:
> 
> file	"....." can be in SAME directory as including file
> 
> 	file="local_header.html"
> 
> 	"....." can be in subdirectories
> 
> 	file="Way/Down/There/foo.html"
> 
> 	"....." can NOT be anywhere else
> 
> 	file="/This/Is/Just/Plain/r0ng.html"
> 	file="../../As/Is/thi5.html"		<-- YOU NEED TO CHECK THIS TOO!
> 						    IF WE'RE TO BE NCSA 1.3R
> 						    COMPATIBLE
> 
> virtual	"....." can be anywhere in UNIX space eg:
> 
> 	virtual="/etc/passwd"
> 
> 	"....." can be anywhere in document space
> 
> 	virtual="../../Admin/default_copyright.html"
> 
> 	
> References:
> 
>    http://hoohoo.ncsa.uiuc.edu/docs/tutorials/includes.html
> 
> 
> SUMMARY
> 
> It's still broken and this patch will hurt people ;)
> 
> Cheers,
> Ay.