You are viewing a plain text version of this content. The canonical link for it is here.
Posted to modperl@perl.apache.org by Rob Giseburt <ro...@eatech.net> on 2000/08/03 16:36:19 UTC
.htacess security
Are .htaccess files secure? I don't want users to be able to use
<perl>...</perl> sections or any other mod_perl constructs (setting scripts
to run via the Registry, for example) in .htaccess files. However, I need
.htaccess files turned on so users can password protect directories
site-wide (so I can't shut .htaccess files off completely.)
Is there any need to worry? I can't have users writing any code that will be
executed by the primary httpd process ... all user CGI execution is done via
mod_cgi and SuEXEC.
Thanks,
-Rob Giseburt
--------------------------------
Random Quote:
"When the chips are down, the buffalo is empty."
(author unknown)
--------------------------------
Re: .htacess security
Posted by Doug MacEachern <do...@covalent.net>.
On Thu, 3 Aug 2000, Rob Giseburt wrote:
> Are .htaccess files secure? I don't want users to be able to use
> <perl>...</perl> sections or any other mod_perl constructs (setting scripts
> to run via the Registry, for example) in .htaccess files. However, I need
> .htaccess files turned on so users can password protect directories
> site-wide (so I can't shut .htaccess files off completely.)
you can disable <Perl> by choosing explict options for Makefile.PL (rather
than EVERYTHING=1)
or change this line in mod_perl.h:
#define SECTION_ALLOWED OR_ALL
to:
#define SECTION_ALLOWED RSRC_CONF
p.s.
mod_perl-2.0 will let you disable things like so:
<Files ~ "^\.htaccess$">
PerlOptions -PerlSections
</Files>