Re[2]: BUG: fastcgi ssi output is not parsed for nested ssi's

Shadrach Todd (shad@pathfinder.com)
Fri, 25 Apr 1997 16:05:31 -0400 (EDT)

From: shad@pathfinder.com (Shadrach Todd)
Message-Id: <199704252005.QAA28342@binge.dev.pathfinder.com.pathfinder.com>
Date: Fri, 25 Apr 1997 16:05:31 -0400 (EDT)
To: gambarin@OpenMarket.com
Subject: Re[2]: BUG: fastcgi ssi output is not parsed for nested ssi's
In-Reply-To: <199704251833.OAA00422@u4-138.openmarket.com>

Hi Stanley,

In the words of Peter Kamali,

"i really don't see how this is any more of
a security hole than cgi's themselves. (?)"

Would you describe the security hole this creates? Also 'security holes' usually
elicit an error on parsing. In this case, this is not the failure mode.

Shad 


Stanley Gambarin <gambarin@OpenMarket.com> wrote:
> 	The content that is returned by the FastCGI (or even CGI) application
> is not supposed to be parsed for the nested SSI directives.  This is not a bug, 
> since adding the above functionality would introduce a security hole into the 
> webserver.
> 						Hope that was of some help.
> 								Stanley.


--
--
Shadrach Todd
Manager, Systems Development                shad@pathfinder.com
Time Inc. New Media                         http://pathfinder.com