From owner-freebsd-questions Thu Aug 28 06:11:06 1997 Return-Path: Received: (from root@localhost) by hub.freebsd.org (8.8.7/8.8.7) id GAA26879 for questions-outgoing; Thu, 28 Aug 1997 06:11:06 -0700 (PDT) Received: from relay.acadiau.ca (root@relay.acadiau.ca [131.162.2.90]) by hub.freebsd.org (8.8.7/8.8.7) with ESMTP id GAA26873 for ; Thu, 28 Aug 1997 06:11:01 -0700 (PDT) Received: from dragon.acadiau.ca (dragon [131.162.1.79]) by relay.acadiau.ca (8.8.5/8.8.5) with SMTP id KAA17786; Thu, 28 Aug 1997 10:11:07 -0300 (ADT) Received: by dragon.acadiau.ca id KAA14081; Thu, 28 Aug 1997 10:11:03 -0300 From: 026809r@dragon.acadiau.ca (Michael Richards) Message-Id: <199708281311.KAA14081@dragon.acadiau.ca> Subject: Re: Server Side Includes To: spork@super-g.com (spork) Date: Thu, 28 Aug 1997 10:11:02 -0300 (ADT) Cc: freebsd-questions@freebsd.org In-Reply-To: from "spork" at Aug 27, 97 11:04:49 pm X-Mailer: ELM [version 2.4 PL25] MIME-Version: 1.0 Content-Type: text/plain; charset=US-ASCII Content-Transfer-Encoding: 7bit Sender: owner-freebsd-questions@freebsd.org X-Loop: FreeBSD.org Precedence: bulk > You should be careful where you put SSI... > > Especially if you have any pages (such as a guestbook) that allow users to > "create" html on the fly. It's rather simple for someone to include an > SSI directive in their bulletin board post. That command could do all > sorts of nasty things, such as rm -rf /, /usr/X11R6/bin/xterm, etc... That is a good thought... Surely the output from a CGI wouldn't be parsed though would it? Perhaps something like s/--#exec/--exec/i otta do the trick? I have nitemares about regular expressions though! -Mike