The following reply was made to PR mod_include/3500; it has been noted by GNATS.
From: Todd Vierling <[EMAIL PROTECTED]> To: [EMAIL PROTECTED] Cc: Subject: Re: mod_include/3500: mod_include unconditionally disallows parent directories Date: Fri, 11 Dec 1998 15:11:36 -0500 (EST) : State-Changed-From-To: open-closed : State-Changed-By: marc : State-Changed-When: Mon Dec 7 11:27:34 PST 1998 : State-Changed-Why: : include file is not really recommended and has this limitation : on purpose. I expected this answer. Before I resubmit the PR, I'll offer a full explanation and hope someone will see this addendum. If I want to do so, if IncludesNOEXEC is not set, I can <!--#exec cmd="/bin/cat /etc/passwd"--> just as easily as I could #include the file. So, this isn't a justification for disallowing access to arbitrary files. I *want* #include file="" to work for parent directories and arbitrary files wien the permissions are there, to avoid the extra overhead implied by #include virtual="". What the PR-closing comment didn't say is *why* that should be disallowed even for the `Includes' (with exec) case. In any case, Apache as packaged by the NetBSD pkgsrc system does not have this restriction. -- -- Todd Vierling (Personal [EMAIL PROTECTED]; Bus. [EMAIL PROTECTED])
