On Thu, Apr 23, 2009 at 8:31 AM, Joe Orton <[email protected]> wrote: > - if httpd.conf has "Options Includes", and an .htaccess file has > "Options +IncludesNoExec" - should exec= be permitted in an SSI?
My (soft) preference would be exec= permitted and doc tweak to match the notion of what Includes + IncludesNoExec means - Server-side includes are permitted, but the #exec cmd and #exec cgi are disabled. It is still possible to #include virtual CGI scripts from ScriptAliased directories. + Server-side includes, except those using #exec cmd|cgi, are permitted. It is still possible to #include virtual CGI scripts from ScriptAliased directories. No net effect if enabled in the same context as Includes. Then this config snippet in htaccess means "make sure I've got at least IncludesNoExec in this context, without clobbering other subdirectories" vs. the flavors without any +/- or ones that zap Includes explicitly with a "-". -- Eric Covener [email protected]
