From 8a9b4b61cd9a7f7a39cc44eafc7d2b88159ff36f Mon Sep 17 00:00:00 2001 From: "William A. Rowe Jr" Date: Thu, 13 Dec 2001 17:24:27 +0000 Subject: [PATCH] Not really an XXX here git-svn-id: https://svn.apache.org/repos/asf/httpd/httpd/trunk@92453 13f79535-47bb-0310-9956-ffa450edef68 --- modules/metadata/mod_cern_meta.c | 8 +++++++- 1 file changed, 7 insertions(+), 1 deletion(-) diff --git a/modules/metadata/mod_cern_meta.c b/modules/metadata/mod_cern_meta.c index 4bb69ec3bc..e9ed8ab299 100644 --- a/modules/metadata/mod_cern_meta.c +++ b/modules/metadata/mod_cern_meta.c @@ -361,10 +361,16 @@ static int add_cern_meta_data(request_rec *r) dconf->metasuffix ? dconf->metasuffix : DEFAULT_METASUFFIX, NULL); - /* XXX: it sucks to require this subrequest to complete, because this + /* It sucks to require this subrequest to complete, because this * means people must leave their meta files accessible to the world. * A better solution might be a "safe open" feature of pfopen to avoid * pipes, symlinks, and crap like that. + * + * In fact, this doesn't suck. Because blocks are never run + * against sub_req_lookup_file, the meta can be somewhat protected by + * either masking it with a directive or alias, or stowing + * the file outside of the web document tree, while providing the + * appropriate directory blocks to allow access to it as a file. */ rr = ap_sub_req_lookup_file(metafilename, r, NULL); if (rr->status != HTTP_OK) { -- 2.50.1