[3427] in WWW Security List Archive
Re: SSI #exec
daemon@ATHENA.MIT.EDU (Nathan Neulinger)
Fri Nov 1 11:13:21 1996
In-Reply-To: <9611010943.aa27081@gonzo.ben.algroup.co.uk>
Date: Fri, 1 Nov 1996 07:50:49 -0600
To: ben@algroup.co.uk
From: Nathan Neulinger <nneul@umr.edu>
Cc: xax@arkenstone.pub.ro, www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
>>
>> BTW, ScriptAlias bypasses the ExecCGI mechanism. Not that this helps!
>
>More news: I am reliably informed that you can run CGIs with <!--#include
>virtual...>, even when exec is disabled. I haven't checked this!
>
Interesting... will have to look at that...
Personally, I think the whole problem is rediculous... It all could have
been solved VERY SIMPLY by doing what the stinking browser is built to do!
Grab a bunch of things like html and images, and put them together.
You can do <IMG SRC="">, so why not allow a <HTML SRC="">, or <INSERT
SRC="">, or <RAW SRC="">...
All of these things would have obviated the need for any server side
include functionality. Not to mention they would have solved the caching
problem that making all documents server parseable causes.
Sure, you could still leave in the server side includes for more efficient
insertion of other text/html files, but for cgi/exec/etc. just let the
browser do the work.
-- Nathan
------------------------------------------------------------
Nathan Neulinger Univ. of Missouri - Rolla
EMail: nneul@umr.edu Computing Services
WWW: http://www.umr.edu/~nneul SysAdmin: rollanet.org
