On Thu, 3 Aug 2000, Ken Williams wrote:
> [EMAIL PROTECTED] (Rob Giseburt) wrote:
> >Are .htaccess files secure? I don't want users to be able to use
> ><perl>...</perl> sections or any other mod_perl constructs (setting scripts
> >to run via the Registry, for example) in .htaccess files. However, I need
> >..htaccess files turned on so users can password protect directories
> >site-wide (so I can't shut .htaccess files off completely.)
>
> I assume you need <Perl> sections in your main httpd.conf? If not, you can
> just shut it off altogether.
>
> Alternatively, you might want to shut it off and use a templating system to
> generate your httpd.conf file(s) so they don't have <Perl> sections in them.
>
> >One extra question: Can I turn on mod_perl SSI and have normal SSI calls at
> >the same time? In other words, can I have one page (file.pshtml maybe)
> >parsed by perl-extended SSI and another (file.shtml) be parsed by normal
> >(without perl, mod_ssi?) SSI?
>
> I'm not sure (I think probably not), but you can get the same effect if
> you use Apache::SSI for some pages and regular mod_ssi for the others.
It also depends on what you mean by "mod_perl SSI".
If Rob is talking about Ken's Apache::SSI handler, that's one thing,
but compiling PERL_SSI=1 to add #perl extentions to "regular" mod_include
is another.
Setting up Apache::SSI to handle some files and mod_include to handle
others is not a problem. But is it possible to selectively allow #perl
in only some mod_include files? If you're worried about people using
<Perl> sections in .htaccess files, you're going to have to worry about
<!--#perl sub="whatever" --> in SSI files too.
