You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Rodent of Unusual Size <CO...@PROCESS.COM> on 1997/11/09 21:36:00 UTC

Options & SSIs

    Oh, bogus.  Tell me I'm misinterpreting this:

     o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
     o "#exec cgi=" can be turned on with "Options ExecCGI".
     o "Options IncludesNoExec" disables both "#exec cgi=" and
       "#exec cmd=".

    In other words, there's no way to turn off shell-command execution
    without turning off CGI execution as well.  And shell-command
    execution is turned on by default if SSIs are.

    Personally, I consider CGIs marginally safer than arbitrary shell
    commands, and I'd rather this situation were reversed.

    Of course, the waters are significantly muddied by "#include virtual".

    Yuk.

    Maybe breaking this into

     Options IncludesCGI
     Options IncludesCMD
     Options Includes

    Then

      Current			    New
     Includes IncludesNoExec	== Includes
     Includes ExecCGI		== Includes IncludesCGI
     Includes			== Includes IncludesCGI IncludesCMD
     (not currently possible)	== Includes IncludesCMD

    and allows CGI and shell-command execution to be independently
    enabled/disabled.  This also has the advantage (IMHO) of
    disambiguating the meaning of Options - right now some of the
    keywords are enablers and some are disablers (IncludesNoExec). This
    would make them all enablers.

    I need to look into how the Options keywords affect the "#include
    virtual" stuff; I'm just thinking aloud (?) here..

    #ken    P-)}

Re: Options & SSIs

Posted by Marc Slemko <ma...@worldgate.com>.

I don't see any need for special code to allow enabling exec cgi without
exec cmd.  exec cgi is legacy.  Use include virtual instead.  It is
supposed to work in both Includes and IncludesNoExec, however right now it
only works for ScriptAliased directories.  I think that should be fixed
(there is a PR on it somewhere), but once it is I see no reason for adding
code to play with exec cgi. 

Where do you get the idea that ExecCGI allows "exec cgi"?


On Sun, 9 Nov 1997, Rodent of Unusual Size wrote:

>     Oh, bogus.  Tell me I'm misinterpreting this:
> 
>      o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
>      o "#exec cgi=" can be turned on with "Options ExecCGI".
>      o "Options IncludesNoExec" disables both "#exec cgi=" and
>        "#exec cmd=".
> 
>     In other words, there's no way to turn off shell-command execution
>     without turning off CGI execution as well.  And shell-command
>     execution is turned on by default if SSIs are.
> 
>     Personally, I consider CGIs marginally safer than arbitrary shell
>     commands, and I'd rather this situation were reversed.
> 
>     Of course, the waters are significantly muddied by "#include virtual".
> 
>     Yuk.
> 
>     Maybe breaking this into
> 
>      Options IncludesCGI
>      Options IncludesCMD
>      Options Includes
> 
>     Then
> 
>       Current			    New
>      Includes IncludesNoExec	== Includes
>      Includes ExecCGI		== Includes IncludesCGI
>      Includes			== Includes IncludesCGI IncludesCMD
>      (not currently possible)	== Includes IncludesCMD
> 
>     and allows CGI and shell-command execution to be independently
>     enabled/disabled.  This also has the advantage (IMHO) of
>     disambiguating the meaning of Options - right now some of the
>     keywords are enablers and some are disablers (IncludesNoExec). This
>     would make them all enablers.
> 
>     I need to look into how the Options keywords affect the "#include
>     virtual" stuff; I'm just thinking aloud (?) here..
> 
>     #ken    P-)}
>

Re: Options & SSIs

Posted by Dean Gaudet <dg...@arctic.org>.

See PR#697, it includes a patch that does this. 

Dean

On Sun, 9 Nov 1997, Rodent of Unusual Size wrote:

>     Oh, bogus.  Tell me I'm misinterpreting this:
> 
>      o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
>      o "#exec cgi=" can be turned on with "Options ExecCGI".
>      o "Options IncludesNoExec" disables both "#exec cgi=" and
>        "#exec cmd=".
> 
>     In other words, there's no way to turn off shell-command execution
>     without turning off CGI execution as well.  And shell-command
>     execution is turned on by default if SSIs are.
> 
>     Personally, I consider CGIs marginally safer than arbitrary shell
>     commands, and I'd rather this situation were reversed.
> 
>     Of course, the waters are significantly muddied by "#include virtual".
> 
>     Yuk.
> 
>     Maybe breaking this into
> 
>      Options IncludesCGI
>      Options IncludesCMD
>      Options Includes
> 
>     Then
> 
>       Current			    New
>      Includes IncludesNoExec	== Includes
>      Includes ExecCGI		== Includes IncludesCGI
>      Includes			== Includes IncludesCGI IncludesCMD
>      (not currently possible)	== Includes IncludesCMD
> 
>     and allows CGI and shell-command execution to be independently
>     enabled/disabled.  This also has the advantage (IMHO) of
>     disambiguating the meaning of Options - right now some of the
>     keywords are enablers and some are disablers (IncludesNoExec). This
>     would make them all enablers.
> 
>     I need to look into how the Options keywords affect the "#include
>     virtual" stuff; I'm just thinking aloud (?) here..
> 
>     #ken    P-)}
>