You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1995/11/03 15:08:48 UTC
Re: Vote summary for 0.8.15
> Outstanding problems:
> 1. // in paths
> 2. The #include file=xxx problem. Randy seems to have disappeared from this
> list. If this problem is not fixed, then the compatibility notes will
> need a big notice stating:
>
Sorry for my silence. I sent a response immediately to David's request
that I change my vote, but discover now that it fell on the floor...
My comment in short was:
I don't want to change my vote.
I think there needs to be some more discussion about the solution to
this since changing it at this stage in the game will break much of
my include usage, and I suspect others.
I agree that there is a security problem here.
I don't agree with the interpretation of the two tags and would like
to get a chance to look at the NCSA sources to see how they were handled
in the past. I would like more discussion on the matter before we
close doors.
My interpretation:
file= any file as referenced by the local filesystem. Restricting access
outside of the documentroot should be configurable.
virtual= any file as referenced within the document root filespace.
The fact that you can pass an argument *without* a leading slash for
this tag is IMHO a bug.