Re: An old chestnut?

[Howard Fear <hs...@pooh.pageplus.com>]

Ben Laurie wrote:
>> I'm sure this has come up before but I can't remember why you can't enable
>> exec cgi in an SSI without enabling exec cmd (I admit, I haven't tried it, 
>> but there's a lot of talk about it on www-security, and this is what
>> the code seems to say).

Brian Behlendorf replied:
> Actually, it should be added to the FAQ (one of a long list of things in my
> apache-docs to-do mbox :)
> 
> Use <!--#include virtual="script.cgi" --> to run CGI's when the
> IncludesNoExec option is set.

I had responded to Ben with this point.  But, I have a couple of
additions:
    1) If I manage to rewrite the mod_xinclude docs for 1.2, this
       will be noted.  I believe that everyone's still using the
       NCSA docs for SSI and they miss some important Apache additions
       to include virtual - such as the ability to run cgi's and
       pass QUERY_STRINGs.
    2) I think that exec cgi= should be noted as a deprecated usage.  
       Basically, we can no longer prevent someone from executing
       a cgi script so IncludesNoExec is somewhat misleading.
       And, having two methods to do one thing is likely to be confusing.

BTW, sorry my participation is down, but I started a new job in a
startup.  But, I am still committed to maintaining mod_xinclude.

On another front, As an alternative to mod_cgissi, perhaps you can write
a program that processes an ssi file, which can be called from a cgi
script.  This would handle some of the common needs such as nested
include files without opening the security holes.

--
Howard Fear      email1: howard_fear@pageplus.com
                 email2: howard_fear@redcape.com
                 http://www.pageplus.com/~hsf/