httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From John Callahan <>
Subject [users@httpd] Bug in 1.3.x mod_include?
Date Wed, 23 Apr 2003 17:58:50 GMT

Hello fellow Apache Users:

I am trying to figure out how to do an SSI "include virtual" of a CGI
program without turning off IncludesNOEXEC.  The documentation seems to
imply that it will work, but the source code seems to think an "include
virtual" of any document not classed as "text" is a potential exec.

The documentation indicates the following:

     Server-side includes are permitted, but the #exec command and #exec
CGI are disabled.
     It is still possible to #include virtual CGI scripts from
ScriptAliase'd directories.


However, the behavior is as follows:
     unable to include potential exec "/cgi-bin/test.cgi" in parsed file

I believe this is a result of the following code (starting @ line 688 of

            if (!error_fmt && noexec && rr->content_type
                && (strncmp(rr->content_type, "text/", 5))) {
                error_fmt = "unable to include potential exec \"%s\" "
                    "in parsed file %s";

I find no code in mod_include.c that would exempt ScriptAliased areas
from this check.

I understand the logic of treating an "include file" directive of a CGI
program as potentially hostile, but why "include virtual"?  Isn't
"include virtual" just creating a subrequest to a URI that falls under
the normal rules of access?

Thanks for any insights!

John P. Callahan <>
Director, Network Services
Willamette University
900 State St, Salem OR, 97301
Phone: 503-375-5495 Fax: 503-375-5456

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message