[In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
Synopsis: Supporting CGI-variables created by POST for SSI State-Changed-From-To: open-closed State-Changed-By: dgaudet State-Changed-When: Tue Apr 20 20:49:25 PDT 1999 State-Changed-Why: Dude, you should be careful with this -- you've just opened yourself up to some exploits. I can request urls with trailing ?DATE_LOCAL=blah&DOCUMENT_NAME=foo and your code will overwrite the server's variables. I'm also really concerned about adding this to apache in general, since SSI provides very little way to verify the validity of the arguments. It could make it all too easy/tempting for folks to write insecure web pages. Using something like mod_php or mod_perl seems much more appropriate. Dean
