You are viewing a plain text version of this content. The canonical link for it is here.

Posted to modperl@perl.apache.org by ka...@suvi.kas.utu.fi on 2002/04/08 07:48:57 UTC

Disabling Perl*Handlers in .htaccess?

	Hello!

How to enable only PerlSetVar/PerlAddVar directives in .htaccess files?

More specific:

We are building an multiuser environment with mod_perl to our
campus. Mod_perl handlers contain especially PerlHandlers configured in
httpd.conf. The .htaccess files are used for authorization (require
user/group) and some tailoring (PerlSetVar/PerlAddVar) allowed for all
users at their home directories.

However, the security risks are quite obvious when .htaccess contains
directives like PerlHandler:

PerlHandler "sub {`touch /tmp/xxx`}"


How to enable only PerlSetVar/PerlAddVar directives in .htaccess files?

-- 

Kari Nurmela,
	kari.nurmela@utu.fi, (02) 333 8847 / (0400) 786 547