You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1997/07/02 16:33:54 UTC

Re: mirrors and SSIs

> On Tue, 1 Jul 1997, Ben Laurie wrote:
> 
> > Dean Gaudet wrote:
> > > 
> > > No this is the wrong answer.  I, for example, refuse to run CGIs or SSIs
> > > that I download automatically from taz... and I trust Brian.  Requiring
> > > mirrors to run SSI or CGI means that a compromise of taz can be a
> > > compromise of every single mirror site.
> > 
> > Hang on - isn't SSI with no exec supposed to be safe?
> 
> Define safe.
> 
> <!--#include file="/etc/passwd">
> 
> Safe, yes.  Safe, no.

That does not work.

Re: mirrors and SSIs

Posted by Brian Behlendorf <br...@organic.com>.

At 04:04 PM 7/6/97 -0700, you wrote:
>We will lose mirrors if you ask for this requirement.  I see no need for
>the requirement.  You are dictating that a mirror be required to use a
>module that perhaps they don't trust.  I don't trust it myself.  You
>should bring it up on the mirrors mailing list and see other responses for
>yourself though.

Sigh.  My kingdom for properly working client-side includes.

>You should bring it up on the mirrors mailing list and see other responses
< >for yourself though.

Will do.

>And why is it bad to run expand.pl on taz ?

Because then the expanded form needs to be what's in the CVS tree.  

Maybe we need a richer publishing system, where the files are staged from
the CVS tree and then "burned" to the live area.  That burning process can
include include expansion, perhaps some other type of macro expansion (such
as the server version #! :), etc.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL                brian@organic.com - hyperreal.org - apache.org

Re: mirrors and SSIs

Posted by Marc Slemko <ma...@worldgate.com>.

On Sun, 6 Jul 1997, Dean Gaudet wrote:

> We will lose mirrors if you ask for this requirement.  I see no need for
> the requirement.  You are dictating that a mirror be required to use a
> module that perhaps they don't trust.  I don't trust it myself.  You
> should bring it up on the mirrors mailing list and see other responses for
> yourself though.
> 
> And why is it bad to run expand.pl on taz ?

Because then we can't just do a cvs update on taz without having worries
about conflicts.  Shouldn't happen often, but certainly could happen and
that is ugly. 

> 
> Dean
> 
> On Thu, 3 Jul 1997, Brian Behlendorf wrote:
> 
> > At 09:33 AM 7/2/97 -0500, Randy Terbush wrote:
> > >> On Tue, 1 Jul 1997, Ben Laurie wrote:
> > 
> > [SSI's considered harmful?]
> > 
> > >> Define safe.
> > >> 
> > >> <!--#include file="/etc/passwd">
> > >> 
> > >> Safe, yes.  Safe, no.
> > >
> > >That does not work.
> > 
> > Indeed, it appears file="" can't pull anything not in the same directory or
> > below.  So, I contend it does not represent a security risk, and
> > "IncludesNoExec" can be safely run by mirror sites.
> > 
> > 	Brian
> > 
> > 
> > --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> > "Why not?" - TL                brian@organic.com - hyperreal.org - apache.org
> > 
>

Re: mirrors and SSIs

Posted by Dean Gaudet <dg...@arctic.org>.

We will lose mirrors if you ask for this requirement.  I see no need for
the requirement.  You are dictating that a mirror be required to use a
module that perhaps they don't trust.  I don't trust it myself.  You
should bring it up on the mirrors mailing list and see other responses for
yourself though.

And why is it bad to run expand.pl on taz ?

Dean

On Thu, 3 Jul 1997, Brian Behlendorf wrote:

> At 09:33 AM 7/2/97 -0500, Randy Terbush wrote:
> >> On Tue, 1 Jul 1997, Ben Laurie wrote:
> 
> [SSI's considered harmful?]
> 
> >> Define safe.
> >> 
> >> <!--#include file="/etc/passwd">
> >> 
> >> Safe, yes.  Safe, no.
> >
> >That does not work.
> 
> Indeed, it appears file="" can't pull anything not in the same directory or
> below.  So, I contend it does not represent a security risk, and
> "IncludesNoExec" can be safely run by mirror sites.
> 
> 	Brian
> 
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> "Why not?" - TL                brian@organic.com - hyperreal.org - apache.org
>

Re: mirrors and SSIs

Posted by Brian Behlendorf <br...@organic.com>.

At 09:33 AM 7/2/97 -0500, Randy Terbush wrote:
>> On Tue, 1 Jul 1997, Ben Laurie wrote:

[SSI's considered harmful?]

>> Define safe.
>> 
>> <!--#include file="/etc/passwd">
>> 
>> Safe, yes.  Safe, no.
>
>That does not work.

Indeed, it appears file="" can't pull anything not in the same directory or
below.  So, I contend it does not represent a security risk, and
"IncludesNoExec" can be safely run by mirror sites.

	Brian

--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
"Why not?" - TL                brian@organic.com - hyperreal.org - apache.org