You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rodent of Unusual Size <CO...@PROCESS.COM> on 1997/11/09 21:36:00 UTC
Options & SSIs
Oh, bogus. Tell me I'm misinterpreting this:
o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
o "#exec cgi=" can be turned on with "Options ExecCGI".
o "Options IncludesNoExec" disables both "#exec cgi=" and
"#exec cmd=".
In other words, there's no way to turn off shell-command execution
without turning off CGI execution as well. And shell-command
execution is turned on by default if SSIs are.
Personally, I consider CGIs marginally safer than arbitrary shell
commands, and I'd rather this situation were reversed.
Of course, the waters are significantly muddied by "#include virtual".
Yuk.
Maybe breaking this into
Options IncludesCGI
Options IncludesCMD
Options Includes
Then
Current New
Includes IncludesNoExec == Includes
Includes ExecCGI == Includes IncludesCGI
Includes == Includes IncludesCGI IncludesCMD
(not currently possible) == Includes IncludesCMD
and allows CGI and shell-command execution to be independently
enabled/disabled. This also has the advantage (IMHO) of
disambiguating the meaning of Options - right now some of the
keywords are enablers and some are disablers (IncludesNoExec). This
would make them all enablers.
I need to look into how the Options keywords affect the "#include
virtual" stuff; I'm just thinking aloud (?) here..
#ken P-)}
Re: Options & SSIs
Posted by Marc Slemko <ma...@worldgate.com>.
I don't see any need for special code to allow enabling exec cgi without
exec cmd. exec cgi is legacy. Use include virtual instead. It is
supposed to work in both Includes and IncludesNoExec, however right now it
only works for ScriptAliased directories. I think that should be fixed
(there is a PR on it somewhere), but once it is I see no reason for adding
code to play with exec cgi.
Where do you get the idea that ExecCGI allows "exec cgi"?
On Sun, 9 Nov 1997, Rodent of Unusual Size wrote:
> Oh, bogus. Tell me I'm misinterpreting this:
>
> o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
> o "#exec cgi=" can be turned on with "Options ExecCGI".
> o "Options IncludesNoExec" disables both "#exec cgi=" and
> "#exec cmd=".
>
> In other words, there's no way to turn off shell-command execution
> without turning off CGI execution as well. And shell-command
> execution is turned on by default if SSIs are.
>
> Personally, I consider CGIs marginally safer than arbitrary shell
> commands, and I'd rather this situation were reversed.
>
> Of course, the waters are significantly muddied by "#include virtual".
>
> Yuk.
>
> Maybe breaking this into
>
> Options IncludesCGI
> Options IncludesCMD
> Options Includes
>
> Then
>
> Current New
> Includes IncludesNoExec == Includes
> Includes ExecCGI == Includes IncludesCGI
> Includes == Includes IncludesCGI IncludesCMD
> (not currently possible) == Includes IncludesCMD
>
> and allows CGI and shell-command execution to be independently
> enabled/disabled. This also has the advantage (IMHO) of
> disambiguating the meaning of Options - right now some of the
> keywords are enablers and some are disablers (IncludesNoExec). This
> would make them all enablers.
>
> I need to look into how the Options keywords affect the "#include
> virtual" stuff; I'm just thinking aloud (?) here..
>
> #ken P-)}
>
Re: Options & SSIs
Posted by Dean Gaudet <dg...@arctic.org>.
See PR#697, it includes a patch that does this.
Dean
On Sun, 9 Nov 1997, Rodent of Unusual Size wrote:
> Oh, bogus. Tell me I'm misinterpreting this:
>
> o "Options Includes" enables "#exec cmd=" but not "#exec cgi=".
> o "#exec cgi=" can be turned on with "Options ExecCGI".
> o "Options IncludesNoExec" disables both "#exec cgi=" and
> "#exec cmd=".
>
> In other words, there's no way to turn off shell-command execution
> without turning off CGI execution as well. And shell-command
> execution is turned on by default if SSIs are.
>
> Personally, I consider CGIs marginally safer than arbitrary shell
> commands, and I'd rather this situation were reversed.
>
> Of course, the waters are significantly muddied by "#include virtual".
>
> Yuk.
>
> Maybe breaking this into
>
> Options IncludesCGI
> Options IncludesCMD
> Options Includes
>
> Then
>
> Current New
> Includes IncludesNoExec == Includes
> Includes ExecCGI == Includes IncludesCGI
> Includes == Includes IncludesCGI IncludesCMD
> (not currently possible) == Includes IncludesCMD
>
> and allows CGI and shell-command execution to be independently
> enabled/disabled. This also has the advantage (IMHO) of
> disambiguating the meaning of Options - right now some of the
> keywords are enablers and some are disablers (IncludesNoExec). This
> would make them all enablers.
>
> I need to look into how the Options keywords affect the "#include
> virtual" stuff; I'm just thinking aloud (?) here..
>
> #ken P-)}
>