You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Randy Terbush <ra...@zyzzyva.com> on 1995/11/03 15:08:48 UTC

Re: Vote summary for 0.8.15

> Outstanding problems:
> 1. // in paths
> 2. The #include file=xxx problem. Randy seems to have disappeared from this
>    list. If this problem is not fixed, then the compatibility notes will
>    need a big notice stating:
> 

Sorry for my silence. I sent a response immediately to David's request
that I change my vote, but discover now that it fell on the floor...

My comment in short was:

I don't want to change my vote.
I think there needs to be some more discussion about the solution to 
this since changing it at this stage in the game will break much of
my include usage, and I suspect others.

I agree that there is a security problem here.

I don't agree with the interpretation of the two tags and would like
to get a chance to look at the NCSA sources to see how they were handled
in the past. I would like more discussion on the matter before we
close doors.

My interpretation:

file= any file as referenced by the local filesystem. Restricting access
outside of the documentroot should be configurable.

virtual= any file as referenced within the document root filespace.
The fact that you can pass an argument *without* a leading slash for 
this tag is IMHO a bug.