You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by sa...@c2.net on 1997/01/09 06:34:34 UTC
nph- deprecation
Because of the dangers of nph-, as described here earlier,
I proposed:
1) an option to disable nph: NphDisable
2) making my unbuffered cgi patch a "supported patch"
Should I work on this? I'd like to let people avoid the nph-
security problem, and deprecating nph- has always been one of my
goals.
I do think #1 is worth going into the beta, because it is a
security thing. #2 is too iffy/featurish to put in right now.
Re: nph- deprecation
Posted by ra...@lerdorf.on.ca.
> > 2) making my unbuffered cgi patch a "supported patch"
>
> +1.
>
> Brian
If we are adding that, how about an rflush() call so I can stop messing
with the BUFF stuff from my modules? Personally I see little need
for unbuffered output if it were easy to flush the buffer.
-Rasmus
Re: nph- deprecation
Posted by Brian Behlendorf <br...@organic.com>.
On Wed, 8 Jan 1997 sameer@c2.net wrote:
> 1) an option to disable nph: NphDisable
> I do think #1 is worth going into the beta, because it is a
> security thing.
Hmm... what about instead, closing the fd to stdin to the nph script after the
script starts outputting data? That way the nph script can't answer a second
kept-alive request and start spoofing things. Will that work? I'd +1 that as
a security fix for 1.2. Disabling NPH scripts isn't enough for 1.2 imho.
> 2) making my unbuffered cgi patch a "supported patch"
+1.
Brian
--=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
brian@organic.com www.apache.org hyperreal.com http://www.organic.com/JOBS