You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Howard Fear <hs...@pooh.pageplus.com> on 1996/11/04 05:46:27 UTC
Re: An old chestnut?
Ben Laurie wrote:
>> I'm sure this has come up before but I can't remember why you can't enable
>> exec cgi in an SSI without enabling exec cmd (I admit, I haven't tried it,
>> but there's a lot of talk about it on www-security, and this is what
>> the code seems to say).
Brian Behlendorf replied:
> Actually, it should be added to the FAQ (one of a long list of things in my
> apache-docs to-do mbox :)
>
> Use <!--#include virtual="script.cgi" --> to run CGI's when the
> IncludesNoExec option is set.
I had responded to Ben with this point. But, I have a couple of
additions:
1) If I manage to rewrite the mod_xinclude docs for 1.2, this
will be noted. I believe that everyone's still using the
NCSA docs for SSI and they miss some important Apache additions
to include virtual - such as the ability to run cgi's and
pass QUERY_STRINGs.
2) I think that exec cgi= should be noted as a deprecated usage.
Basically, we can no longer prevent someone from executing
a cgi script so IncludesNoExec is somewhat misleading.
And, having two methods to do one thing is likely to be confusing.
BTW, sorry my participation is down, but I started a new job in a
startup. But, I am still committed to maintaining mod_xinclude.
On another front, As an alternative to mod_cgissi, perhaps you can write
a program that processes an ssi file, which can be called from a cgi
script. This would handle some of the common needs such as nested
include files without opening the security holes.
--
Howard Fear email1: howard_fear@pageplus.com
email2: howard_fear@redcape.com
http://www.pageplus.com/~hsf/