You are viewing a plain text version of this content. The canonical link for it is here.

Posted to dev@httpd.apache.org by Alvaro Martinez Echevarria <al...@lander.es> on 1998/06/10 23:01:06 UTC

[PATCH] CGIs not working (PR#2354)

Hi.
Although PR#2354 sounds like the typical newbie dummy problem,
there are a couple of little real problems behind it (I guess,
because the amount of data provided in the bug report is very
small):

-both of the test CGIs are installed without execute permissions
 by "make install", so if you want to use them you need to
 manually do chmod. Shouldn't the installation do that?

-the first line of "printenv" is "#!/usr/local/bin/perl". Well, I
 can't think of a lot of systems where perl lives there.
 "/usr/bin/perl" is probably more general. Anyway, I think
 the installation should change the CGI. Or perhaps this would be
 enough:
   #!/bin/sh
   echo Content-Type: text/html
   echo
   echo '<pre>'
   set
   echo '</pre>'

These problems are quite small, but solving them could save a few
headaches among out unexperienced users. So, I include a patch that
solves both problems, whith the following CHANGES:

  *) Changed the top Makefile to install the test CGIs with execute
     permission, and to replace the "#!" header of printenv with
     the correct location of perl. [Alvaro Martinez Echevarria]

By the way, is the correct way of dealing with PRs documented
anywhere? I say "correct", because I suspect I am not dealing
this the right way: on the two PRs I've dealt with today, I
haven't sent any mail to the originators of the bug reports, not
I have forwarded my messages anywhere to include them in the
bug-db, etc.
Regards.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-91-5562883        |
                                 |      Fax: +34-91-5563001        |
                                 `---------------------------------'

Re: [PATCH] CGIs not working (PR#2354)

Posted by Singly Bertrand de <si...@frankiz.polytechnique.fr>.

> On the default configuration CGIs will not be enabled just by setting
> execute permission, because the ScriptAlias directive is
> commented out in srm.conf and src.conf.default. The problem comes
> out if you set it up to allow CGIs: it won't work until you don't

well, it seems the doc isn't clear enough

I just had a look at this page yesterday :
http://www.urec.cnrs.fr/cours/securite/Apache/chap4.html
where the author writes (in French) that the Apache server is provided
with cgi-examples and that ScriptAlias allows access to this directory
this doc may be old (1997) but perhaps this is not clearly in the docs
as far as I am concerned, I think that it is better to chmod u=rwx the cgi
examples and to let uncommented the ScriptAlias, adding a comment in the
conf.default file such as "If you uncomment the ScriptAlias directive,
you'll be allowed to run cgi script in this directory, but Apache is
provided with 3 cgi examples that you should remove on a server, except
for test purposes"

Bertrand de Singly

Re: [PATCH] CGIs not working (PR#2354)

Posted by Alvaro Martinez Echevarria <al...@lander.es>.

On Wed, 10 Jun 1998, Manoj Kasichainula wrote:

> On Wed, Jun 10, 1998 at 11:01:06PM +0200, Alvaro Martinez Echevarria wrote:
> > -both of the test CGIs are installed without execute permissions
> >  by "make install", so if you want to use them you need to
> >  manually do chmod. Shouldn't the installation do that?
> 
> Although I don't know if this was the reasoning, it is probably not a
> good idea to enable any preinstalled CGI scripts by default, because
> it could lead to problems like the old phf bugs if security holes are
> found. If webmasters have to explicitly enable these scripts (which
> are only useful for testing anyway), they are much more likely to
> disable them when holes are found.

On the default configuration CGIs will not be enabled just by setting
execute permission, because the ScriptAlias directive is
commented out in srm.conf and src.conf.default. The problem comes
out if you set it up to allow CGIs: it won't work until you don't
chmod (and that's not documented anywhere, I think).
Regards.

.------------------------------------------------------------------.
|   Alvaro Martínez Echevarría   |      LANDER SISTEMAS            |
|        alvaro@lander.es        |      Pº Castellana, 121         |
`--------------------------------|      28046 Madrid, SPAIN        |
                                 |      Tel: +34-91-5562883        |
                                 |      Fax: +34-91-5563001        |
                                 `---------------------------------'

Re: [PATCH] CGIs not working (PR#2354)

Posted by Manoj Kasichainula <ma...@io.com>.

On Wed, Jun 10, 1998 at 11:01:06PM +0200, Alvaro Martinez Echevarria wrote:
> -both of the test CGIs are installed without execute permissions
>  by "make install", so if you want to use them you need to
>  manually do chmod. Shouldn't the installation do that?

Although I don't know if this was the reasoning, it is probably not a
good idea to enable any preinstalled CGI scripts by default, because
it could lead to problems like the old phf bugs if security holes are
found. If webmasters have to explicitly enable these scripts (which
are only useful for testing anyway), they are much more likely to
disable them when holes are found.

-- 
Manoj Kasichainula - manojk at io dot com - http://www.io.com/~manojk/
"Even on radio, their new logo sucks" -- Aaron Dickey concerning the BBC World
Service, 1997-11-22