[
https://issues.apache.org/jira/browse/SLING-9767?page=com.atlassian.jira.plugin.system.issuetabpanels:comment-tabpanel&focusedCommentId=17202107#comment-17202107
]
Robert Munteanu commented on SLING-9767:
----------------------------------------
[[email protected]] - since you added the documentation to the
Sling web site, what are your thoughts on this?
> Insecure Recommendation in Dynamic Include Documentation
> --------------------------------------------------------
>
> Key: SLING-9767
> URL: https://issues.apache.org/jira/browse/SLING-9767
> Project: Sling
> Issue Type: Improvement
> Components: Documentation
> Affects Versions: Dynamic Include 3.2.0
> Reporter: Lars Krapf
> Priority: Major
>
> The [documentation for the Sling Dynamic
> Includes|https://sling.apache.org/documentation/bundles/dynamic-includes.html#enabling-ssi-in-apache-with-the-aem-dispatcher-module]
> mentions the following:
> bq. Having added the SetOutputFilter directive, open the virtual host's
> configuration and add the Includes option to the Options directive:
> This is an extremely unsafe recommendation. The "Includes" option will allow
> anyone who can change content on the backend (e.g. AEM) to run arbitrary
> commands on the webserver (dispatcher), by injecting the {{<!--#exec-->}}
> directive.
> The recommendation should be to use the "IncludesNOEXEC" option instead,
> which will only allow to include static content (with a "safe" mime-type such
> as HTML or plain-text).
> See also: http://httpd.apache.org/docs/current/mod/mod_include.html
--
This message was sent by Atlassian Jira
(v8.3.4#803005)
