Re: Need advice on SSI exec cmd and php files

On Sun, 28 May 2006, Kai Schaetzl wrote:

I have a client who first asked to enable SSI parsing for .html
files. As this adds extra burden on the server I have it disabled by
default.

OK so far, although I prefer "XBitHack full" myself, so that one can
get just a bit (sic:) of control over cacheability.

Whether SSI is really /needed/ depends on the content, of course. If
it's inserting content that genuinely does change frequently, and
there would be some disadvantage in showing the reader stale data,
then it's OK. If it's used as a lazy way to assemble components into
what is essentially a static web page[1], then it's less justifiable.

After some reluctance I gave it to her since she's coming from a
server where she had this all configured herself and needed to
rewrite her files if I didn't cater for that.

[1] I'm sure I've seen an offline script somewhere which does
SSI-style page assembly, and then publishes the result on the server
as a static file. But I suppose we have to proceed on the assumption
that this page really does need to change per access...

Now she's asking for inclusion of php files obviously because she
wants them to get executed and then included in the SSI parsed file.
I have IncludesNoExec set and this is Apache 2.0. As I understand
switching this on is a major security risk. Further, if I understand
correctly, inclusion of PHP files with exec cmd would run them as
shell script (if they have the correct shebang path) which would
allow them to break out of any restrictions the module may have
(safe_mode, open_basedir etc.) and inclusion with exec cgi would
only work if PHP was installed as a cgi.

This seems to me to be blundering around to a very contorted solution.
PHP has a rather chequered history of security issues, but let's
suppose you have decided you're willing to support PHP on the server.
Then it should be run as a handler directly, *not* executed by some
back-hand mechanism from SSI.

Digression: as I recall, the Apache SSI tutorials recommended, in
preference to #exec cmd="...", to use #include virtual="..." whenever
possible. See e.g the last paragraph of this section
http://httpd.apache.org/docs/2.0/misc/security_tips.html#ssi

*But* I'm unclear why one would need SSI *and* PHP together - sounds
like a recipe for unexpected effects, but what's worse, it would rule
out all of PHP's useful features for influencing the HTTP headers.
So I'd do what I could to discourage that i.e re-examine the real
requirement.

So, I'm very reluctant to allow this. It's a security risk and it
adds extra processing overhead which could all be avoided by just
using PHP from the beginning.

Sounds right to me.

She says she works for several big companies (not our clients) as a
webmaster and claims that including executable PHP in SSI and
parsing all files as SSI is common there to avoid that anyone can
see that it's something else than html files.

Any fool can see from the HTTP response headers that the response from
an SSI is "something else than html files". So this is nonsense.

Don't just look at the filename extension in the URL - as far as HTTP
protocol is concerned, it's meaningless. It doesn't even need to be
there. Or ".html" could signify SSI, or CGI, or PHP or whatever you
care to configure Apache for.

I just think it's bad practice.

That too, but the whole tangled scheme doesn't seem to make a great
deal of sense. If you/they are going to use PHP at all, then at least
use it properly. Which is what you were saying already.

Am I just paranoid and picky or is this request for inclusion of PHP
or exec cmd in general reasonable?

I'd say that in specific instances there might be some justification
for enabling it, but prima facie this request doesn't seem to know
what it wants. Either turn it down, or quote a sufficiently
discouraging extra charge for it, IMHO ;-)

Dislaimer: I happen to run an httpd in an academic situation, as one
of the many other things I'm expected to deal with. But I'd have no
idea what to charge for it commercially, so don't mind me.

cheers
.

Relevant Pages

  • Re: How do I create multiple text boxes with the same info that will
    ... I read sync'd text boxes to mean..same ... Use Server Side Includes (SSI) ... Your server will need to be configured to use SSI and you may need to rename ... Use PHP Includes ...
    (microsoft.public.publisher.webdesign)
  • Re: How do I create multiple text boxes with the same info that will
    ... Use Server Side Includes (SSI) ... Your server will need to be configured to use SSI and you may need to ... your pages with an .shtml extension. ... Use PHP Includes ...
    (microsoft.public.publisher.webdesign)
  • Re: redirect / new website how to redirect old (google) links to new site ?
    ... But why use PHP for some other function such as processing form data. ... to process *all* .html files as php files is an unnecessary overhead. ... That's what a server is for. ... You only need an extension if you directly map a URL onto the server's ...
    (comp.lang.php)
  • Re: redirect / new website how to redirect old (google) links to new site ?
    ... But why use PHP for some other function such as processing form data. ... to process *all* .html files as php files is an unnecessary overhead. ... Your hosting company, for one, unless you're on a dedicated server. ... The extension just allows the server to do the most efficient processing of the file. ...
    (comp.lang.php)
  • Re: Need help using OBJECT tag
    ... Now please learn to quote on Usenet: ... I originally designed it to use SSI. ... my pages to fit into this PHP application. ... probably have to rename all of my .html files to .php and rewrite them ...
    (comp.infosystems.www.authoring.html)