You are viewing a plain text version of this content. The canonical link for it is here.

Posted to bugs@httpd.apache.org by bu...@apache.org on 2006/04/13 21:02:35 UTC

DO NOT REPLY [Bug 39306] New: - Documentation for ScriptInterpreterSource is not specific enough

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39306>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39306

           Summary: Documentation for ScriptInterpreterSource is not
                    specific enough
           Product: Apache httpd-2
           Version: 2.2-HEAD
          Platform: PC
               URL: http://httpd.apache.org/docs/2.2/mod/core.html#scriptint
                    erpretersource
        OS/Version: Windows Server 2003
            Status: NEW
          Severity: normal
          Priority: P3
         Component: Documentation
        AssignedTo: bugs@httpd.apache.org
        ReportedBy: brett-hunsaker@automation-software.com


The description of the Registry and Registry-Strict parameters is imprecise 
when it references which registry value is used.  The current implementation 
uses the (Default) value of the key.

MightI suggest the following description:

Setting ScriptInterpreterSource Registry will cause the Windows Registry tree 
HKEY_CLASSES_ROOT to be searched using the script file extension (e.g., .pl) as 
a search key. The command defined by the default value of the registry subkey 
Shell\ExecCGI\Command or, if it does not exist, by the default value of the 
subkey Shell\Open\Command is used to open the script file. If the registry keys 
cannot be found, Apache falls back to the behavior of the Script option.

For example, the registry setting to have a script with the .pl extension 
processed via perl would be:

HKEY_CLASSES_ROOT\.pl\Shell\ExecCGI\Command\(Default) => C:\Perl\bin\perl.exe -
wT

Security

Be careful when using ScriptInterpreterSource Registry with ScriptAlias'ed 
directories, because Apache will try to execute every file within this 
directory. The Registry setting may cause undesired program calls on files 
which are typically not executed. For example, the default open command on .htm 
files on most Windows systems will execute Microsoft Internet Explorer, so any 
HTTP request for an .htm file existing within the script directory would start 
the browser in the background on the server. This is a good way to crash your 
system within a minute or so.

The option Registry-Strict which is new in Apache 2.0 does the same thing as 
Registry but uses only the default value of the subkey Shell\ExecCGI\Command. 
The ExecCGI key is not a common one. It must be configured manually in the 
windows registry and hence prevents accidental program calls on your system.

-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org

DO NOT REPLY [Bug 39306] - Documentation for ScriptInterpreterSource is not specific enough

Posted by bu...@apache.org.

DO NOT REPLY TO THIS EMAIL, BUT PLEASE POST YOUR BUG�
RELATED COMMENTS THROUGH THE WEB INTERFACE AVAILABLE AT
<http://issues.apache.org/bugzilla/show_bug.cgi?id=39306>.
ANY REPLY MADE TO THIS MESSAGE WILL NOT BE COLLECTED AND�
INSERTED IN THE BUG DATABASE.

http://issues.apache.org/bugzilla/show_bug.cgi?id=39306


tony@pc-tony.com changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
             Status|NEW                         |RESOLVED
         Resolution|                            |FIXED




------- Additional Comments From tony@pc-tony.com  2007-07-26 14:53 -------
Patch added:  http://svn.apache.org/viewvc?view=rev&rev=560011
Should be visible within a few hours or so. Sorry for the delay.

Cheers,
Tony


-- 
Configure bugmail: http://issues.apache.org/bugzilla/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

---------------------------------------------------------------------
To unsubscribe, e-mail: bugs-unsubscribe@httpd.apache.org
For additional commands, e-mail: bugs-help@httpd.apache.org