You are viewing a plain text version of this content. The canonical link for it is here.

Posted to apache-bugdb@apache.org by Lars Eilebrecht <sf...@unix-ag.org> on 1997/07/08 17:10:02 UTC

mod_include/840: Bogus error_log entry

>Number:         840
>Category:       mod_include
>Synopsis:       Bogus error_log entry
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache (Apache HTTP Project)
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Tue Jul  8 08:10:02 1997
>Originator:     sfx@unix-ag.org
>Organization:
apache
>Release:        1.2.0
>Environment:
Linux 2.0 i586
>Description:
If someones uses (by mistake) something like this:

 <!--#exec cmd="/path/to/dir"-->

the following entry appears in the error_log:

"/bin/sh: /path/to/dir: is a directory"

Without a leading date-entry and without a clue what
include the invalid CGI reference contains.

This also happens if the command is not executable (due
to permissions).

>How-To-Repeat:

>Fix:
Use stat on the supplied command-path and check permisions
before calling /bin/sh
>Audit-Trail:
>Unformatted: