[prev in list] [next in list] [prev in thread] [next in thread]
List: apache-httpd-dev
Subject: Re: svn commit: r1387984 - /httpd/httpd/trunk/Makefile.win
From: Michael Felt <mamfelt () gmail ! com>
Date: 2012-09-21 14:24:16
Message-ID: CAN9c_NQc1vnxyb9kbMs7wZjGQWgQz-LzY60VYo3N4sFiG_x=4Q () mail ! gmail ! com
[Download RAW message or body]
ScriptAlias enabled by default... maybe, this is "yes, but"
In 2.4.X - as in my packaging I have
#LoadModule cgid_module libexec/mod_cgid.so
by default in httpd.conf.
I was getting appropriate errors when I tried to access cgi scripts.
Also, all
"AddHandler" directives (there is one) are commented out.
Unsure of what my 2.2.X package has.
On Fri, Sep 21, 2012 at 2:13 AM, Gregg Smith <gls@gknw.net> wrote:
> On 9/20/2012 4:36 PM, Guenter Knauf wrote:
>
> > Am 20.09.2012 16:56, schrieb Guenter Knauf:
> >
> > > Am 20.09.2012 16:16, schrieb Guenter Knauf:
> > >
> > > > Am 20.09.2012 16:02, schrieb Jeff Trawick:
> > > >
> > > > > We shouldn't have scripts which, out of the box, leak information
> > > > > about the system or configuration.
> > > > >
> > > > ok, I change the script in a way as printenv has (make shebang
> > > > in-active);
> > > >
> > > done:
> > > http://svn.apache.org/viewvc?**rev=1388054&view=rev<http://svn.apache.org/viewvc?rev=1388054&view=rev>
> > >
> > from trunk/Makefile.win line 1043ff:
> > copy docs\cgi-examples\printenv \
> > "$(INSTDIR)\cgi-bin\printenv.**pl<http://printenv.pl>" <.y
> > -awk -f <<script.awk "docs/cgi-examples/printenv" >
> > "$(INSTDIR)\cgi-bin\printenv.**pl <http://printenv.pl>"
> > BEGIN {
> > if ( "perl -e \"print $$^X;\"" | getline perlroot ) {
> > gsub( /\\/, "/", perlroot );
> > print "#!" perlroot;
> > }
> > }
> > {
> > if ( $$0 !~ /^#!/ ) {
> > print $$0;
> > }
> > }
> > <<
> >
> > so this is the place where the shebang gets fixed for printenv.pl thus
> > making it executable unless perl is not in search path ...
> > shouldnt we then remove this part and only copy it unchanged?
> >
>
> These are samples, I think they should be executable. I personally do not
> like the fact that ScriptAlias is enabled by default. I think that is as
> much a concern.
>
> Regards,
> Gregg
>
[Attachment #3 (text/html)]
ScriptAlias enabled by default... maybe, this is "yes, but"<br><br>In 2.4.X \
- as in my packaging I have<br>#LoadModule cgid_module libexec/mod_cgid.so<br><br>by \
default in httpd.conf.<br><br>I was getting appropriate errors when I tried to access \
cgi scripts.<br> <br>Also, all<br>"AddHandler" directives (there is one) \
are commented out.<br><br>Unsure of what my 2.2.X package has.<br><br><div \
class="gmail_quote">On Fri, Sep 21, 2012 at 2:13 AM, Gregg Smith <span \
dir="ltr"><<a href="mailto:gls@gknw.net" \
target="_blank">gls@gknw.net</a>></span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 9/20/2012 4:36 PM, \
Guenter Knauf wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Am 20.09.2012 16:56, schrieb \
Guenter Knauf:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Am 20.09.2012 16:16, schrieb \
Guenter Knauf:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Am 20.09.2012 16:02, schrieb Jeff \
Trawick:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"> We shouldn't have scripts which, out of the box, \
leak information<br> about the system or configuration.<br>
</blockquote>
ok, I change the script in a way as printenv has (make shebang<br>
in-active);<br>
</blockquote>
done:<br>
<a href="http://svn.apache.org/viewvc?rev=1388054&view=rev" \
target="_blank">http://svn.apache.org/viewvc?<u></u>rev=1388054&view=rev</a><br> \
</blockquote> from trunk/Makefile.win line 1043ff:<br>
copy docs\cgi-examples\printenv "$(INSTDIR)\cgi-bin\<a \
href="http://printenv.pl" \
target="_blank">printenv.<u></u>pl</a>" <.y<br>
-awk -f <<script.awk "docs/cgi-examples/printenv" > \
"$(INSTDIR)\cgi-bin\<a href="http://printenv.pl" \
target="_blank">printenv.<u></u>pl</a>"<br> BEGIN {<br>
if ( "perl -e \"print $$^X;\"" | getline perlroot ) {<br>
gsub( /\\/, "/", perlroot );<br>
print "#!" perlroot;<br>
}<br>
}<br>
{<br>
if ( $$0 !~ /^#!/ ) {<br>
print $$0;<br>
}<br>
}<br>
<<<br>
<br>
so this is the place where the shebang gets fixed for <a href="http://printenv.pl" \
target="_blank">printenv.pl</a> thus making it executable unless perl is not in \
search path ...<br> shouldnt we then remove this part and only copy it unchanged?<br>
</blockquote>
<br></div></div>
These are samples, I think they should be executable. I personally do not like the \
fact that ScriptAlias is enabled by default. I think that is as much a concern.<br> \
<br> Regards,<br>
Gregg<br>
</blockquote></div><br>
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic