The following reply was made to PR mod_include/3500; it has been noted by GNATS.
From: Marc Slemko <[EMAIL PROTECTED]> To: Todd Vierling <[EMAIL PROTECTED]> Cc: Apache bugs database <[EMAIL PROTECTED]> Subject: Re: mod_include/3500: mod_include unconditionally disallows parent directories Date: Fri, 11 Dec 1998 13:42:49 -0800 (PST) On 11 Dec 1998, Todd Vierling wrote: > The following reply was made to PR mod_include/3500; it has been noted by > GNATS. > > From: Todd Vierling <[EMAIL PROTECTED]> > To: [EMAIL PROTECTED] > Cc: Subject: Re: mod_include/3500: mod_include unconditionally disallows > parent > directories > Date: Fri, 11 Dec 1998 15:11:36 -0500 (EST) > > : State-Changed-From-To: open-closed > : State-Changed-By: marc > : State-Changed-When: Mon Dec 7 11:27:34 PST 1998 > : State-Changed-Why: > : include file is not really recommended and has this limitation > : on purpose. > > I expected this answer. Before I resubmit the PR, I'll offer a full Huh? Do you really think that submitting the PR over and over will do anything except piss people off? > explanation and hope someone will see this addendum. > > If I want to do so, if IncludesNOEXEC is not set, I can <!--#exec > cmd="/bin/cat /etc/passwd"--> just as easily as I could #include the file. So? First, it is an extremely poor design to have a directive called IncludesNOEXEC that also disables including other sorts of files. If you want to do it for your personal use, then great. But remember that you aren't the one having to support people who get confused by this BS. Second, I'm not sure what you mean by "extra overhead implied by include virtual" and can't see how that could make any difference worth bothering about. Have you actually gone through and understood what overhead there is and isn't and how it fits into the big picture? > > So, this isn't a justification for disallowing access to arbitrary files. I > *want* #include file="" to work for parent directories and arbitrary files > wien the permissions are there, to avoid the extra overhead implied by > #include virtual="". What the PR-closing comment didn't say is *why* that > should be disallowed even for the `Includes' (with exec) case. > > In any case, Apache as packaged by the NetBSD pkgsrc system does not have > this restriction. It is unfortunate that you think the role of someone building packages for an OS is to use that position to make incompatible and unwanted changes to that program to suit their own likings. It introduces needless incompatibilities and just makes life more difficult for everyone. Please do not change things to fit your whims. Crap like this is one of the reasons that, time after time, I have to recommend that people just download Apache and install it themself because their vendor has gone and stupidly messed around with the one that comes with their OS.
