You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Dean Gaudet <dg...@arctic.org> on 1997/07/07 01:04:25 UTC
Re: mirrors and SSIs
We will lose mirrors if you ask for this requirement. I see no need for
the requirement. You are dictating that a mirror be required to use a
module that perhaps they don't trust. I don't trust it myself. You
should bring it up on the mirrors mailing list and see other responses for
yourself though.
And why is it bad to run expand.pl on taz ?
Dean
On Thu, 3 Jul 1997, Brian Behlendorf wrote:
> At 09:33 AM 7/2/97 -0500, Randy Terbush wrote:
> >> On Tue, 1 Jul 1997, Ben Laurie wrote:
>
> [SSI's considered harmful?]
>
> >> Define safe.
> >>
> >> <!--#include file="/etc/passwd">
> >>
> >> Safe, yes. Safe, no.
> >
> >That does not work.
>
> Indeed, it appears file="" can't pull anything not in the same directory or
> below. So, I contend it does not represent a security risk, and
> "IncludesNoExec" can be safely run by mirror sites.
>
> Brian
>
>
> --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> "Why not?" - TL brian@organic.com - hyperreal.org - apache.org
>
Re: mirrors and SSIs
Posted by Marc Slemko <ma...@worldgate.com>.
On Sun, 6 Jul 1997, Dean Gaudet wrote:
> We will lose mirrors if you ask for this requirement. I see no need for
> the requirement. You are dictating that a mirror be required to use a
> module that perhaps they don't trust. I don't trust it myself. You
> should bring it up on the mirrors mailing list and see other responses for
> yourself though.
>
> And why is it bad to run expand.pl on taz ?
Because then we can't just do a cvs update on taz without having worries
about conflicts. Shouldn't happen often, but certainly could happen and
that is ugly.
>
> Dean
>
> On Thu, 3 Jul 1997, Brian Behlendorf wrote:
>
> > At 09:33 AM 7/2/97 -0500, Randy Terbush wrote:
> > >> On Tue, 1 Jul 1997, Ben Laurie wrote:
> >
> > [SSI's considered harmful?]
> >
> > >> Define safe.
> > >>
> > >> <!--#include file="/etc/passwd">
> > >>
> > >> Safe, yes. Safe, no.
> > >
> > >That does not work.
> >
> > Indeed, it appears file="" can't pull anything not in the same directory or
> > below. So, I contend it does not represent a security risk, and
> > "IncludesNoExec" can be safely run by mirror sites.
> >
> > Brian
> >
> >
> > --=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=-=--
> > "Why not?" - TL brian@organic.com - hyperreal.org - apache.org
> >
>