You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <Ke...@Golux.Com> on 1998/09/09 16:11:43 UTC
Scope of Include directive?
Does anyone see any reason why the Include directive shouldn't
be available everywhere, including .htaccess files?
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
Re: Scope of Include directive?
Posted by Dean Gaudet <dg...@arctic.org>.
On Wed, 9 Sep 1998, Manoj Kasichainula wrote:
> On Wed, Sep 09, 1998 at 10:11:43AM -0400, Rodent of Unusual Size wrote:
> > Does anyone see any reason why the Include directive shouldn't
> > be available everywhere, including .htaccess files?
>
> I haven't looked at the code for this possiblilty, but could there be
> a DoS from setting up an Include loop?
Good point.
You'd need some way to walk up the nesting and compare ino/dev... or just
have a max nesting limit (more portable).
Dean
Re: Scope of Include directive?
Posted by Manoj Kasichainula <ma...@io.com>.
On Wed, Sep 09, 1998 at 10:11:43AM -0400, Rodent of Unusual Size wrote:
> Does anyone see any reason why the Include directive shouldn't
> be available everywhere, including .htaccess files?
I haven't looked at the code for this possiblilty, but could there be
a DoS from setting up an Include loop?
.htaccess:
Include /home/luser/public_html/.htaccess
--
Manoj Kasichainula - manojk at io dot com - http://www.io.com/~manojk/
"Violence is the first refuge of the violent." - Aaron Allston
Re: Scope of Include directive?
Posted by Rodent of Unusual Size <co...@Apache.Org>.
Dana Carson wrote:
>
> > Does anyone see any reason why the Include directive shouldn't
> > be available everywhere, including .htaccess files?
>
> It would be convenient but the security possibilities make me nervous. I
> suppose you can figure that anyone that uses someone elses file included in
> a file that does access control can't really care.
For now, I'll just open it up to use anywhere in the server
config files.
For your point above, I think careful selection of which
overrides
must be allowed in order to use it in .htaccess files should
address the issue. Mmm?
#ken P-)}
Ken Coar <http://Web.Golux.Com/coar/>
Apache Group member <http://www.apache.org/>
"Apache Server for Dummies" <http://Web.Golux.Com/coar/ASFD/>
Re: Scope of Include directive?
Posted by Dana Carson <dc...@access.digex.net>.
> Does anyone see any reason why the Include directive shouldn't
> be available everywhere, including .htaccess files?
>
> #ken P-)}
It would be convenient but the security possibilities make me nervous. I
suppose you can figure that anyone that uses someone elses file included in
a file that does access control can't really care.
--
Dana Carson
dcarson@cyberteams.com http://www.cyberteams.com/
dcarson@access.digex.net http://www.access.digex.net/~dcarson/
Lunar Resources Company http://www.tlrc.com/
Artemis Society International http://www.asi.org/
Baltimore in '98 http://www.bucconeer.worldcon.org/