You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Rob Hartill <ro...@imdb.com> on 1996/10/18 20:36:28 UTC
WWW Form Bug Report: "Server-side Includes shouldn't allow Unix execution" on OTHER:all (fwd)
acked.
This requests is almost as old as Apache itself.
----- Forwarded message from jason@oit.co.uk -----
Message-Id: <19...@taz.hyperreal.com>
From: jason@oit.co.uk
To: apache-bugs%apache.org@organic.com
Date: Fri Oct 18 9:49:02 1996
Subject: WWW Form Bug Report: "Server-side Includes shouldn't allow Unix execution" on OTHER:all
Submitter: jason@oit.co.uk
Operating system: OTHER:all, version:
Version of Apache Used: 1.1.1 - 1.2
Extra Modules used:
URL exhibiting problem:
Symptoms:
--
I'm concerned that Apache allows people to run Unix
commands vs SSI. It's one thing to allow CGI hooks,
where (in our case) the Sysadmin has control over what
directories are capable of running CGIs, but Unix
commands?!?! I'd love it if Apache could be configured
to allow SSI CGIs but not Unix commands.
Here's a patch I use to disable this feature. What
would be better would be making this a configuration
option. Maybe IncludeNOUNIX?
diff -p mod_include.c mod_include.c.orig
*** mod_include.c Fri Oct 18 17:44:21 1996
--- mod_include.c.orig Fri Oct 18 17:36:33 1996
*************** void include_cmd_child (void *arg)
*** 561,569 ****
#endif
cleanup_for_exec();
/* set shellcmd flag to pass arg to SHELL_PATH */
- #ifdef ALLOW_UNIX_EXEC
call_exec(r, s, create_environment (r->pool, env), 1);
- #endif /* ALLOW_UNIX_EXEC */
/* Oh, drat. We're still here. The log file descriptors are closed,
* so we have to whimper a complaint onto stderr...
--- 561,567 ----