On Thu, 25 Apr 2002, John Rowe wrote: > > > Well then perl is a security hole. You should probably delete it. > > Matt, if you allow ExecCGI in any directory in the document tree, > including those owned by ordinary users then you are exposing yourself to > a terrible security risk! You should turn it off immediately!! > > But I'm kind of guessing you don't :-) > > I'm guessing that you, like the rest of us, restrict the ability to write > those files to a limited set of system personel but allow ordinary users > to write HTML/XML files.
Umm, this may come as a surprise to you - but I don't do web development. I haven't used AxKit much at all in the last 12 months. So I don't have any personel to worry about ;-) > Which is roughly how I say axkit should behave. Having file:// urls allows > someone with partial access to the system (say an exported subdirectory of > the document root) leverage their permissions to get axkit to look at > other parts of the hosts directory tree. I guess... But I always consider that anyone with write permissions on a machine will be able to see anything the web user can see. Otherwise things are really screwey on your system. Security is as strong as your weakest point remember. > > It does do that. That was the whole problem in this thread. The bug that > > Markus is stuck with is a bug in nsgmls, not in AxKit (modulo the problem > > with relative URIs he's seeing). > > Maybe I'm doing something wrong (I'm very new to xml). If I have an XML > file starting: > > <?xml version="1.0"?> > <!DOCTYPE localdoc SYSTEM "/usr/local/share/sgml/dtd/local/localdoc.dtd" [ > ]> > <?xml-stylesheet href="/xml/localdoc.xsl" type="text/xsl"?> > > > Then my apache logs complain about a missing 'usr' directory in the > directory where the xml file lives, not the document root. I would > appreciate advice on how to properly specify the file. file:///usr/.... -- <!-- Matt --> <:->Get a smart net</:-> --------------------------------------------------------------------- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
