mod_auth-any/4422: parsing apears to stop at the CGI file.

[Bill Ott <bi...@ibm.net>]

>Number:         4422
>Category:       mod_auth-any
>Synopsis:       parsing apears to stop at the CGI file.
>Confidential:   no
>Severity:       non-critical
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun May 16 18:30:01 PDT 1999
>Last-Modified:
>Originator:     billott@ibm.net
>Organization:
apache
>Release:        1.3.6
>Environment:
NT 4.0 w/ SP4, running DB2 and Net.Data, converting from Domino Web Server to Apache.
>Description:
Net.data runs as a cgi-bin. (http://foo.com/db2www.cgi/trythid.d3w) where
trythis.d3w is passed to db2www.cgi. I sucessfully restrict access to the
cgi-bin directory & the program works just like Domino. Under Domino, I futher
restrict file access for files ending in .d2w. Under apache, it appears that 
the file checking stops when it reaches the cgi and it transfers to there.
The result is I lose the second level file protection. This may be the "parsed
output" limitation and it works as designed. If so, I'll live without it.  
>How-To-Repeat:
Set up a cgi-bin where you pass the cgi a file. Then try to restrict access to
the file.
>Fix:

>Audit-Trail:
>Unformatted:
[In order for any reply to be added to the PR database, ]
[you need to include <ap...@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]
[If you do not include this Cc, your reply may be ig-   ]
[nored unless you are responding to an explicit request ]
[from a developer.                                      ]
[Reply only with text; DO NOT SEND ATTACHMENTS!         ]