'Re: svn commit: r1387984 - /httpd/httpd/trunk/Makefile.win'

[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-httpd-dev
Subject:    Re: svn commit: r1387984 - /httpd/httpd/trunk/Makefile.win
From:       Michael Felt <mamfelt () gmail ! com>
Date:       2012-09-21 14:24:16
Message-ID: CAN9c_NQc1vnxyb9kbMs7wZjGQWgQz-LzY60VYo3N4sFiG_x=4Q () mail ! gmail ! com
[Download RAW message or body]

ScriptAlias enabled by default... maybe, this is "yes, but"

In 2.4.X - as in my packaging I have
#LoadModule cgid_module libexec/mod_cgid.so

by default in httpd.conf.

I was getting appropriate errors when I tried to access cgi scripts.

Also, all
"AddHandler" directives (there is one) are commented out.

Unsure of what my 2.2.X package has.

On Fri, Sep 21, 2012 at 2:13 AM, Gregg Smith <gls@gknw.net> wrote:

> On 9/20/2012 4:36 PM, Guenter Knauf wrote:
> 
> > Am 20.09.2012 16:56, schrieb Guenter Knauf:
> > 
> > > Am 20.09.2012 16:16, schrieb Guenter Knauf:
> > > 
> > > > Am 20.09.2012 16:02, schrieb Jeff Trawick:
> > > > 
> > > > > We shouldn't have scripts which, out of the box, leak information
> > > > > about the system or configuration.
> > > > > 
> > > > ok, I change the script in a way as printenv has (make shebang
> > > > in-active);
> > > > 
> > > done:
> > > http://svn.apache.org/viewvc?**rev=1388054&view=rev<http://svn.apache.org/viewvc?rev=1388054&view=rev>
> > >  
> > from trunk/Makefile.win line 1043ff:
> > copy docs\cgi-examples\printenv \
> > "$(INSTDIR)\cgi-bin\printenv.**pl<http://printenv.pl>" <.y
> > -awk -f <<script.awk "docs/cgi-examples/printenv" >
> > "$(INSTDIR)\cgi-bin\printenv.**pl <http://printenv.pl>"
> > BEGIN {
> > if ( "perl -e \"print $$^X;\"" | getline perlroot ) {
> > gsub( /\\/, "/", perlroot );
> > print "#!" perlroot;
> > }
> > }
> > {
> > if ( $$0 !~ /^#!/ ) {
> > print $$0;
> > }
> > }
> > <<
> > 
> > so this is the place where the shebang gets fixed for printenv.pl thus
> > making it executable unless perl is not in search path ...
> > shouldnt we then remove this part and only copy it unchanged?
> > 
> 
> These are samples, I think they should be executable. I personally do not
> like the fact that ScriptAlias is enabled by default. I think that is as
> much a concern.
> 
> Regards,
> Gregg
> 


[Attachment #3 (text/html)]

ScriptAlias enabled by default... maybe, this is &quot;yes, but&quot;<br><br>In 2.4.X \
- as in my packaging I have<br>#LoadModule cgid_module libexec/mod_cgid.so<br><br>by \
default in httpd.conf.<br><br>I was getting appropriate errors when I tried to access \
cgi scripts.<br> <br>Also, all<br>&quot;AddHandler&quot; directives (there is one) \
are commented out.<br><br>Unsure of what my 2.2.X package has.<br><br><div \
class="gmail_quote">On Fri, Sep 21, 2012 at 2:13 AM, Gregg Smith <span \
dir="ltr">&lt;<a href="mailto:gls@gknw.net" \
target="_blank">gls@gknw.net</a>&gt;</span> wrote:<br> <blockquote \
class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc \
solid;padding-left:1ex"><div class="HOEnZb"><div class="h5">On 9/20/2012 4:36 PM, \
Guenter Knauf wrote:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Am 20.09.2012 16:56, schrieb \
Guenter Knauf:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Am 20.09.2012 16:16, schrieb \
Guenter Knauf:<br> <blockquote class="gmail_quote" style="margin:0 0 0 \
.8ex;border-left:1px #ccc solid;padding-left:1ex"> Am 20.09.2012 16:02, schrieb Jeff \
Trawick:<br> <blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px \
#ccc solid;padding-left:1ex"> We shouldn&#39;t have scripts which, out of the box, \
leak information<br> about the system or configuration.<br>
</blockquote>
ok, I change the script in a way as printenv has (make shebang<br>
in-active);<br>
</blockquote>
done:<br>
<a href="http://svn.apache.org/viewvc?rev=1388054&amp;view=rev" \
target="_blank">http://svn.apache.org/viewvc?<u></u>rev=1388054&amp;view=rev</a><br> \
</blockquote> from trunk/Makefile.win line 1043ff:<br>
    copy docs\cgi-examples\printenv &quot;$(INSTDIR)\cgi-bin\<a \
                href="http://printenv.pl" \
                target="_blank">printenv.<u></u>pl</a>&quot; &lt;.y<br>
    -awk -f &lt;&lt;script.awk &quot;docs/cgi-examples/printenv&quot; &gt; \
&quot;$(INSTDIR)\cgi-bin\<a href="http://printenv.pl" \
target="_blank">printenv.<u></u>pl</a>&quot;<br>  BEGIN {<br>
    if ( &quot;perl -e \&quot;print $$^X;\&quot;&quot; | getline perlroot ) {<br>
        gsub( /\\/, &quot;/&quot;, perlroot );<br>
        print &quot;#!&quot; perlroot;<br>
    }<br>
    }<br>
    {<br>
    if ( $$0 !~ /^#!/ ) {<br>
        print $$0;<br>
    }<br>
    }<br>
&lt;&lt;<br>
<br>
so this is the place where the shebang gets fixed for <a href="http://printenv.pl" \
target="_blank">printenv.pl</a> thus making it executable unless perl is not in \
search path ...<br> shouldnt we then remove this part and only copy it unchanged?<br>
</blockquote>
<br></div></div>
These are samples, I think they should be executable. I personally do not like the \
fact that ScriptAlias is enabled by default. I think that is as much a concern.<br> \
<br> Regards,<br>
Gregg<br>
</blockquote></div><br>



[prev in list] [next in list] [prev in thread] [next in thread]
Configure | About | News | Add a list | Sponsored by KoreLogic