You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/07/07 01:04:25 UTC

Re: mirrors and SSIs

We will lose mirrors if you ask for this requirement.  I see no need for
the requirement.  You are dictating that a mirror be required to use a
module that perhaps they don't trust.  I don't trust it myself.  You
should bring it up on the mirrors mailing list and see other responses for
yourself though.

And why is it bad to run expand.pl on taz ?

Dean

On Thu, 3 Jul 1997, Brian Behlendorf wrote:

> At 09:33 AM 7/2/97 -0500, Randy Terbush wrote:
> >> On Tue, 1 Jul 1997, Ben Laurie wrote:
> 
> [SSI's considered harmful?]
> 
> >> Define safe.
> >> 
> >> <!--#include file="/etc/passwd">
> >> 
> >> Safe, yes.  Safe, no.
> >
> >That does not work.
> 
> Indeed, it appears file="" can't pull anything not in the same directory or
> below.  So, I contend it does not represent a security risk, and
> "IncludesNoExec" can be safely run by mirror sites.
> 
> 	Brian
> 
> 
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> "Why not?" - TL                brian@organic.com - hyperreal.org - apache.org
>

Re: mirrors and SSIs

Posted by Marc Slemko <ma...@worldgate.com>.

On Sun, 6 Jul 1997, Dean Gaudet wrote:

> We will lose mirrors if you ask for this requirement.  I see no need for
> the requirement.  You are dictating that a mirror be required to use a
> module that perhaps they don't trust.  I don't trust it myself.  You
> should bring it up on the mirrors mailing list and see other responses for
> yourself though.
> 
> And why is it bad to run expand.pl on taz ?

Because then we can't just do a cvs update on taz without having worries
about conflicts.  Shouldn't happen often, but certainly could happen and
that is ugly. 

> 
> Dean
> 
> On Thu, 3 Jul 1997, Brian Behlendorf wrote:
> 
> > At 09:33 AM 7/2/97 -0500, Randy Terbush wrote:
> > >> On Tue, 1 Jul 1997, Ben Laurie wrote:
> > 
> > [SSI's considered harmful?]
> > 
> > >> Define safe.
> > >> 
> > >> <!--#include file="/etc/passwd">
> > >> 
> > >> Safe, yes.  Safe, no.
> > >
> > >That does not work.
> > 
> > Indeed, it appears file="" can't pull anything not in the same directory or
> > below.  So, I contend it does not represent a security risk, and
> > "IncludesNoExec" can be safely run by mirror sites.
> > 
> > 	Brian
> > 
> > 
> > --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> > "Why not?" - TL                brian@organic.com - hyperreal.org - apache.org
> > 
>