Thanks for all the feedback so far. I've added in tests of combinations using negative options in .htaccess, bringing the test matrix to a glorious size of 3 x 4 x 10 = 120 entries: this page gives before/after results with 2.2.x vanilla and the patch I posted previously:
http://people.apache.org/~jorton/ssi-exec/t3-jorton-v1.html 1) w.r.t. to the combination: "Options Includes" in httpd.conf, with "Options -Includes +IncludesNoExec" in .htaccess: yes, that seems to do the right thing in all cases; allow SSI with no exec= - see test #107. That doesn't happen currently in all AllowOverride cases, see e.g. #67 and #97. 2) Jon asked off-list whether negative options should be permitted in .htaccess regardless of the AllowOverride mask. I'm not sure about this and would rather avoid changing that now. 3) Yes, the test results I've posted above are using the patch I posted to security@ unchanged. 4) w.r.t. 2.0/1.3 behaviour. 2.0/1.3 don't have per-Option AllowOverrides logic, so, none of this is relevant as far as I can tell; there's no security issue at least. 5) I'll post an updated patch soon which fixes the behaviour of "Options Includes"/"Options +IncludesNoExec" such that SSI is permitted without exec, as is the current 2.2.x behaviour, since that seems to be the rough consensus. Jon also spotted a minor logic flaw in the patch which I'll fix too. I think that's everything. Regards, Joe
