To LUGNET HomepageTo LUGNET News HomepageTo LUGNET Guide Homepage
 Help on Searching
 
Post new message to lugnet.off-topic.geekOpen lugnet.off-topic.geek in your NNTP NewsreaderTo LUGNET News Traffic PageSign In (Members)
 Off-Topic / Geek / 544
    Why are SSIs bad? —Jeremy Sproat
   Hey all, I use SSI (server-side includes) a *LOT* on my Web pages. They're extremly powerful and versatile. I'm almost a firm believer. But I recall some folks warning about potential security holes and other problems with SSI. Rooting around the (...) (25 years ago, 30-Sep-99, to lugnet.off-topic.geek, lugnet.publish)
   
        Re: Why are SSIs bad? —Jacob Sparre Andersen
   Sproaticus: (...) I am not quite sure what security problems there are with SSI. My main reason for (mostly) not using SSI on published web pages is that I suspect that it means that the pages won't be stored by proxies. Is it possible to make (...) (25 years ago, 30-Sep-99, to lugnet.off-topic.geek, lugnet.publish)
   
        Re: Why are SSIs bad? —Jeremy Sproat
     (...) My ISP (io.com) serves .shtml so they expire quickly (I believe but haven't tested), but .html files with the executable file attribute (using XBitHack) are served as if they were static, even with SSI code. I use the XBitHack approach. It's (...) (25 years ago, 30-Sep-99, to lugnet.off-topic.geek, lugnet.publish)
   
        Re: Why are SSIs bad? —Matthew Miller
   (...) If you're the site admin, there's not a security problem. The security issue is with letting your _users_ use SSI, because those commands execute as the user which owns the web server. Which, if you don't trust your users, is a bad thing. (...) (25 years ago, 30-Sep-99, to lugnet.off-topic.geek, lugnet.publish)
   
        Re: Why are SSIs bad? —Jacob Sparre Andersen
   [ FUT lugnet.publish ] Matthew: [...] (...) Would you care to give a lazy web site manager a hint for doing this with Apache? Play well, Jacob ---...--- -- E-mail: sparre@cats.nbi.dk -- -- Web...: <URL:(URL) -- ---...--- (25 years ago, 1-Oct-99, to lugnet.off-topic.geek, lugnet.publish)
   
        Re: Why are SSIs bad? —Matthew Miller
   (...) Check in your httpd.conf for this: # CacheNegotiatedDocs: By default, Apache sends Pragma: no-cache with each # document that was negotiated on the basis of content. This asks proxy # servers not to cache the document. Uncommenting the (...) (25 years ago, 1-Oct-99, to lugnet.publish)
   
        Re: Why are SSIs bad? —Jacob Sparre Andersen
   Matthew: (...) Hmm? This sounds more like it is related to content negotiation, which among other things is used to deliver documents in a language the reader understands. Does it mean that proxy servers don't know about content negotiation? (...) (...) (25 years ago, 1-Oct-99, to lugnet.publish)
   
        Re: Why are SSIs bad? —Matthew Miller
   (...) Actually, I think you're right. Sorry -- too early in the morning. Or late at night. Whenever it was when I wrote that. Disregard what I said. :) I just tested, and it looks to me like Apache isn't setting "Pragma: no-cache". So I think what (...) (25 years ago, 1-Oct-99, to lugnet.publish)
 

©2005 LUGNET. All rights reserved. - hosted by steinbruch.info GbR