You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by Davy Durham <pu...@davyandbeth.com> on 2004/08/20 20:24:16 UTC
[users@httpd] disabling all cgi
Hi,
I'm developing a part of my site where users will be able to
upload/download files via http. However, currently if a user were to
upload for instance a .php file then it executes it.
QUESTION: Is there a blanket way to disable execution of anything?
I thought about using "ForceType text/plain" in the .htaccess file but
that would make .gifs, .jpgs and htmls come back as garbage, but I need
them (and whatever others that are useful) to come back with the correct
mime-type. I just want to disable execution of anything that could
pose a security threat.
I'm aware that I could manually disable php, perl and whatever other's
I might have configured, but I don't want to install something in the
future and forget to come back and edit this .htaccess file.
Thanks,
Davy
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling all cgi
Posted by Joshua Slive <js...@gmail.com>.
On Fri, 20 Aug 2004 12:10:08 -0700, Eric <ef...@kwinternet.com> wrote:
> Hi,
>
> That is a very interesting problem. My first thought was, well of course
> you can just remove mod_cgi and mod_php, but then the rest of your site
> will not work :) But you could setup an Apache that is compiled without any
> dynamic modules including mod_cgi and then use mod_rewrite to make it seem
> a part of your site.
>
> ProxyPass /uploads/ http://localhost:8080/uploads/
> ProxyPassReverse /uploads/ http://localhost:8080/uploads/
>
Very cute idea. Very resource intensive also, but it should do the job.
> Joshua, I was interested to learn that -ExecCGI gets ignored sometimes,
> which modules do that?
I don't really mean that it gets ignored, but that it just doesn't
apply to many kinds of dynamic content like php scripts.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling all cgi
Posted by Eric <ef...@kwinternet.com>.
Hi,
That is a very interesting problem. My first thought was, well of course
you can just remove mod_cgi and mod_php, but then the rest of your site
will not work :) But you could setup an Apache that is compiled without any
dynamic modules including mod_cgi and then use mod_rewrite to make it seem
a part of your site.
ProxyPass /uploads/ http://localhost:8080/uploads/
ProxyPassReverse /uploads/ http://localhost:8080/uploads/
Just a thought..
Joshua, I was interested to learn that -ExecCGI gets ignored sometimes,
which modules do that?
Eric
direct from your main apache to the "safe" apache.
At 11:44 AM 8/20/2004, you wrote:
>On Fri, 20 Aug 2004 13:24:16 -0500, Davy Durham <pu...@davyandbeth.com>
>wrote:
> > Hi,
> > I'm developing a part of my site where users will be able to
> > upload/download files via http. However, currently if a user were to
> > upload for instance a .php file then it executes it.
> >
> > QUESTION: Is there a blanket way to disable execution of anything?
>
>I don't think so.
>
>In a perfect world, you could simply
>SetHandler default-handler
>RemoveOutputFilter *
>Option -ExecCGI
>
>But many modules deviously use "magic" mime-types which activate
>handlers in the background, the RemoveOutputFilter directive doesn't
>work like that, and not all modules honour the ExecCGI flag.
>
>So I think you are pretty-much stuck handling each
>dynamic-content-source separately.
>
>Joshua.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
Lead Programmer
D.M. Contact Management
250.383.8267 ext 229
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling all cgi
Posted by Joshua Slive <js...@gmail.com>.
On Fri, 20 Aug 2004 16:50:15 -0500, Davy Durham <pu...@davyandbeth.com> wrote:
> Sure, it's obvious.. but why doesn't something like "Options -ExecCGI" work , and why doesn't "RemoveType .php" work? Who knows.. oh well..
Options -ExecCGI doesn't work because php scripts are *not* CGI
scripts. CGI scripts are those that are processed by mod_cgi.
RemoteType .php should work, depending on how you initially activated php.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Can't preview virtual host site locally
Posted by David Blomstrom <da...@yahoo.com>.
--- Rich Bowen <rb...@rcbowen.com> wrote:
> > It looks like I have Dreamweaver's testing server
> set
> > up the same as for all my other sites (which
> work),
> > and this is what I put in my conf file:
> >
> > <VirtualHost 127.0.0.1>
> > ServerAdmin webmaster@wbrain
> > DocumentRoot "c:/sites/wbrain"
> > ServerName wbrain
> > ServerAlias *.wbrain
> > ErrorLog logs/wbrain-error.log
> > ScriptAlias /cgi-bin/ "c:/sites/wbrain/cgi-bin/"
> > <Directory "c:/sites/wbrain">
> > Options All Includes Indexes
> > </Directory>
> > </VirtualHost>
> >
> > However, it's been a while since I set up a
> virtual
> > host, and it occurred to me that I may simply be
> > omitting a step in the process. Can anyone see
> what
> > I'm doing wrong?
>
> You're probably missing DNS resolution of that name
> to an IP address. In
> your case, given your description, I expect that you
> need to put an
> entry in your host file to map the name to your
> local address.
You're absolutely right; thanks!
_______________________________
Do you Yahoo!?
Win 1 of 4,000 free domain names from Yahoo! Enter now.
http://promotions.yahoo.com/goldrush
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Can't preview virtual host site locally
Posted by Rich Bowen <rb...@rcbowen.com>.
On Fri, 20 Aug 2004, David Blomstrom wrote:
> I have Apache installed on my computer, with virtual
> hosts, so I can preview my sites at http://geobop/,
> http://geozoo/, etc.
>
> I just created a new site, which I SHOULD be able to
> preview at http://wbrain/ - but that takes me to
> http://www.everydaycompanion.com/played/WBRAIN.asp
> instead.
This looks like it might be some kind of auto-search feature of whatever
browser you're using for sites that don't resolve to anything useful in
DNS.
> It looks like I have Dreamweaver's testing server set
> up the same as for all my other sites (which work),
> and this is what I put in my conf file:
>
> <VirtualHost 127.0.0.1>
> ServerAdmin webmaster@wbrain
> DocumentRoot "c:/sites/wbrain"
> ServerName wbrain
> ServerAlias *.wbrain
> ErrorLog logs/wbrain-error.log
> ScriptAlias /cgi-bin/ "c:/sites/wbrain/cgi-bin/"
> <Directory "c:/sites/wbrain">
> Options All Includes Indexes
> </Directory>
> </VirtualHost>
>
> However, it's been a while since I set up a virtual
> host, and it occurred to me that I may simply be
> omitting a step in the process. Can anyone see what
> I'm doing wrong?
You're probably missing DNS resolution of that name to an IP address. In
your case, given your description, I expect that you need to put an
entry in your host file to map the name to your local address.
--
Alice came to a fork in the road and saw a Cheshire cat in a tree.
"Which Road do I take?" she asked. "Where do you want to go?" was his
response. "I don't know," Alice answered. "Then," said the cat, "it
doesn't matter."
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] Can't preview virtual host site locally
Posted by David Blomstrom <da...@yahoo.com>.
Please disregard this thread; I just discovered the
problem. Thanks.
__________________________________
Do you Yahoo!?
Yahoo! Mail - 50x more storage than other providers!
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
[users@httpd] Can't preview virtual host site locally
Posted by David Blomstrom <da...@yahoo.com>.
I have Apache installed on my computer, with virtual
hosts, so I can preview my sites at http://geobop/,
http://geozoo/, etc.
I just created a new site, which I SHOULD be able to
preview at http://wbrain/ - but that takes me to
http://www.everydaycompanion.com/played/WBRAIN.asp
instead.
It looks like I have Dreamweaver's testing server set
up the same as for all my other sites (which work),
and this is what I put in my conf file:
<VirtualHost 127.0.0.1>
ServerAdmin webmaster@wbrain
DocumentRoot "c:/sites/wbrain"
ServerName wbrain
ServerAlias *.wbrain
ErrorLog logs/wbrain-error.log
ScriptAlias /cgi-bin/ "c:/sites/wbrain/cgi-bin/"
<Directory "c:/sites/wbrain">
Options All Includes Indexes
</Directory>
</VirtualHost>
However, it's been a while since I set up a virtual
host, and it occurred to me that I may simply be
omitting a step in the process. Can anyone see what
I'm doing wrong?
Thanks.
__________________________________
Do you Yahoo!?
New and Improved Yahoo! Mail - 100MB free storage!
http://promotions.yahoo.com/new_mail
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling all cgi
Posted by Davy Durham <pu...@davyandbeth.com>.
Ok, for anyone interested I finally found HOW TO DISABLE PHP FROM
.htaccess file ( <--- for the search engines 'cause you can't find
much searching with that phrase currently)
Use:
php_flag engine off
Sure, it's obvious.. but why doesn't something like "Options -ExecCGI" work , and why doesn't "RemoveType .php" work? Who knows.. oh well..
Davy Durham wrote:
> Ok, now I'm just simplying trying to disable php within the .htaccess
> file without not loading the module, I cannot figure out how... no
> RemoveHandler or Remove Type works from the .htaccess file!
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling all cgi
Posted by Davy Durham <pu...@davyandbeth.com>.
Ok, now I'm just simplying trying to disable php within the .htaccess
file without not loading the module, I cannot figure out how... no
RemoveHandler or Remove Type works from the .htaccess file!
Davy Durham wrote:
> Hmm, well per your advice I'm going to just disable the cgi handlers
> that I know of.
>
> So I went to disable php... I added RemoveType directives for all
> the .php .php3 .php4.. etc extentions that are set up in
> /etc/httpd/conf.d/70_mod_php.conf
>
> But that didn't disable anything. So I also added a RemoveHandler for
> the same extensions... Again nothing.
> Any idea how to disable php handling from the .htaccess file?
>
> The other alternative is to clear all the types/handlers (if that's
> possible) and just add back the ones I do want to handle (this might
> be a better solution). I tried a ForceType followed by other
> AddTypes, but the ForceType apparently overrides even subsequent added
> types.
>
> Any thoughts?
>
> Thank again!
> Davy
>
> Joshua Slive wrote:
>
>> On Fri, 20 Aug 2004 13:24:16 -0500, Davy Durham
>> <pu...@davyandbeth.com> wrote:
>>
>>
>>> Hi,
>>> I'm developing a part of my site where users will be able to
>>> upload/download files via http. However, currently if a user were to
>>> upload for instance a .php file then it executes it.
>>>
>>> QUESTION: Is there a blanket way to disable execution of anything?
>>>
>>
>>
>> I don't think so.
>>
>> In a perfect world, you could simply
>> SetHandler default-handler
>> RemoveOutputFilter *
>> Option -ExecCGI
>>
>> But many modules deviously use "magic" mime-types which activate
>> handlers in the background, the RemoveOutputFilter directive doesn't
>> work like that, and not all modules honour the ExecCGI flag.
>>
>> So I think you are pretty-much stuck handling each
>> dynamic-content-source separately.
>>
>> Joshua.
>>
>> ---------------------------------------------------------------------
>> The official User-To-User support forum of the Apache HTTP Server
>> Project.
>> See <URL:http://httpd.apache.org/userslist.html> for more info.
>> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>> " from the digest: users-digest-unsubscribe@httpd.apache.org
>> For additional commands, e-mail: users-help@httpd.apache.org
>>
>>
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server
> Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling all cgi
Posted by Davy Durham <pu...@davyandbeth.com>.
Hmm, well per your advice I'm going to just disable the cgi handlers
that I know of.
So I went to disable php... I added RemoveType directives for all
the .php .php3 .php4.. etc extentions that are set up in
/etc/httpd/conf.d/70_mod_php.conf
But that didn't disable anything. So I also added a RemoveHandler for
the same extensions... Again nothing.
Any idea how to disable php handling from the .htaccess file?
The other alternative is to clear all the types/handlers (if that's
possible) and just add back the ones I do want to handle (this might be
a better solution). I tried a ForceType followed by other AddTypes, but
the ForceType apparently overrides even subsequent added types.
Any thoughts?
Thank again!
Davy
Joshua Slive wrote:
>On Fri, 20 Aug 2004 13:24:16 -0500, Davy Durham <pu...@davyandbeth.com> wrote:
>
>
>>Hi,
>> I'm developing a part of my site where users will be able to
>>upload/download files via http. However, currently if a user were to
>>upload for instance a .php file then it executes it.
>>
>>QUESTION: Is there a blanket way to disable execution of anything?
>>
>>
>
>I don't think so.
>
>In a perfect world, you could simply
>SetHandler default-handler
>RemoveOutputFilter *
>Option -ExecCGI
>
>But many modules deviously use "magic" mime-types which activate
>handlers in the background, the RemoveOutputFilter directive doesn't
>work like that, and not all modules honour the ExecCGI flag.
>
>So I think you are pretty-much stuck handling each
>dynamic-content-source separately.
>
>Joshua.
>
>---------------------------------------------------------------------
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:http://httpd.apache.org/userslist.html> for more info.
>To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
>For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] disabling all cgi
Posted by Joshua Slive <js...@gmail.com>.
On Fri, 20 Aug 2004 13:24:16 -0500, Davy Durham <pu...@davyandbeth.com> wrote:
> Hi,
> I'm developing a part of my site where users will be able to
> upload/download files via http. However, currently if a user were to
> upload for instance a .php file then it executes it.
>
> QUESTION: Is there a blanket way to disable execution of anything?
I don't think so.
In a perfect world, you could simply
SetHandler default-handler
RemoveOutputFilter *
Option -ExecCGI
But many modules deviously use "magic" mime-types which activate
handlers in the background, the RemoveOutputFilter directive doesn't
work like that, and not all modules honour the ExecCGI flag.
So I think you are pretty-much stuck handling each
dynamic-content-source separately.
Joshua.
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org