Ben Laurie wrote: > > [Snippage has occurred] > > Blue Boar wrote: > > The format of the SSI command entered is as follows: > > > > <!--#exec cmd="cat /etc/group" > > > > You should place this command (or other desired command) somewhere in the > > comments. > > > > The format of the command is part of the problem, and why I'm thinking > > there may be some sloppiness in Apache. It appears that there is an > > assumption that SSI commands tend to be on lines by themselves, and are of > > the format: > > > > <!--# (SSI command) --> > > > > In my testing with the most recent Apache at the time (1.3.9) I found it > > took any of the following: > > > > <!--#exec cmd="cat /etc/group"--> > > <!--#exec cmd="cat /etc/group"> > > <!--#exec cmd="cat /etc/group" > > > > It also didn't seem to matter that it was in the middle of a line of HTML. > > > > I'm actually a bit more worried about how many other scripts make this > > assumption, and how long Apache has been making that be a bad assumption. > > Apache doesn't make a bad assumption. If you don't want SSIs executing > stuff, you shouldn't enable it. > > Cheers, > > Ben. Or you should enable it using the IncludesNOEXEC option rather than the simple Includes option. -- Jefferson Ogata <jogataat_private> National Oceanographic Data Center You can't step into the same river twice. -- Herakleitos
This archive was generated by hypermail 2b30 : Fri Apr 13 2001 - 15:10:11 PDT