[Snippage has occurred]
Blue Boar wrote:
> The format of the SSI command entered is as follows:
>
> <!--#exec cmd="cat /etc/group"
>
> You should place this command (or other desired command) somewhere in the
> comments.
>
> The format of the command is part of the problem, and why I'm thinking
> there may be some sloppiness in Apache. It appears that there is an
> assumption that SSI commands tend to be on lines by themselves, and are of
> the format:
>
> <!--# (SSI command) -->
>
> In my testing with the most recent Apache at the time (1.3.9) I found it
> took any of the following:
>
> <!--#exec cmd="cat /etc/group"-->
> <!--#exec cmd="cat /etc/group">
> <!--#exec cmd="cat /etc/group"
>
> It also didn't seem to matter that it was in the middle of a line of HTML.
>
> I'm actually a bit more worried about how many other scripts make this
> assumption, and how long Apache has been making that be a bad assumption.
Apache doesn't make a bad assumption. If you don't want SSIs executing
stuff, you shouldn't enable it.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
