RFC: Disabling CGI on most VHosts

[Paul Querna <pa...@querna.org>]

Hi,

In order to increase the security of our websites and considering our
most recent issues, I would like to consider disabling CGI support for
the vast majority of TLP Vhosts.

We have 301 CGI scripts in /x1/www (ignoring the wiki).

>From my best estimates, only 3 of them are not variations on mirror.cgi:
  /x1/www/search.apache.org/index.cgi
  /x1/www/perl.apache.org/search/swish.cgi
  /x1/www/projects.apache.org/make_doap.cgi

So, 99% of the CGI Scripts in /x1/www/ are copies and variations of
download.cgi:
""""
#!/bin/sh
# Wrapper script around mirrors.cgi script
# (we must change to that directory in order for python to pick up the
#  python includes correctly)
cd /www/www.apache.org/dyn/mirrors
/www/www.apache.org/dyn/mirrors/mirrors.cgi $*

""""

All that mirrors.cgi does is read the original path out, convert the
.cgi to .html, and use the .html file on disk as a template:
<http://svn.apache.org/repos/asf/infrastructure/site/trunk/docs/dyn/mirrors/mirrors.cgi>

At first I believed we could replace all of these with a few rewrite
rules, a small modification to the mirror.cgi script:
RewriteRule ^/download.cgi$
/www/www.apache.org/dyn/mirrors/mirrors.cgi/%{SERVER_NAME}/%{REQUEST_URI}

As putting RewriteRules in hundreds of places is potentially painful,
it might be reasonable to write a small Apache httpd module (heh,
heh), mod_asf_downloads, which would bind to the .cgi extension in
most vhosts.  It would scan the .cgi file for the mirrors.cgi
invocation, and if detected automatically rewrite the URL to
mirrors.cgi. (I'd estimate about 150 lines of C).    This would make
for a seamless 'upgrade' for most vhosts, and mean we could turn off
ExecCGI very soon, instead of asking for every TLP to change
something.

Thoughts?

Thanks,

Paul

Re: RFC: Disabling CGI on most VHosts

["Philip M. Gollucci" <pg...@p6m7g8.com>]

Paul Querna wrote:
>>>From my best estimates, only 3 of them are not variations on mirror.cgi:
>   /x1/www/perl.apache.org/search/swish.cgi
Besides the other obvious issues here, can this stay active?




> As putting RewriteRules in hundreds of places is potentially painful,
> it might be reasonable to write a small Apache httpd module (heh,
> heh), mod_asf_downloads, which would bind to the .cgi extension in
> most vhosts.  It would scan the .cgi file for the mirrors.cgi
> invocation, and if detected automatically rewrite the URL to
> mirrors.cgi. (I'd estimate about 150 lines of C).    This would make
> for a seamless 'upgrade' for most vhosts, and mean we could turn off
> ExecCGI very soon, instead of asking for every TLP to change
> something.
+1


-- 
------------------------------------------------------------------------
1024D/DB9B8C1C B90B FBC3 A3A1 C71A 8E70  3F8C 75B8 8FFB DB9B 8C1C
Philip M. Gollucci (pgollucci@p6m7g8.com) c: 703.336.9354
Consultant          - P6M7G8 Inc.                http://p6m7g8.net
Senior Sys Admin    - RideCharge, Inc.           http://ridecharge.com
ASF Member          - Apache Software Foundation http://apache.org
FreeBSD Committer   - FreeBSD Foundation         http://freebsd.org

Work like you don't need the money,
love like you'll never get hurt,
and dance like nobody's watching.

Re: RFC: Disabling CGI on most VHosts

[Paul Querna <pa...@querna.org>]

On Wed, Sep 2, 2009 at 8:58 PM, David Crossley<cr...@apache.org> wrote:
> Paul Querna wrote:
>>
>> Thoughts?
>
> No time to check your work sorry.
>
> Does that still enable the "xml" output variant?
> .../mirrors--xml.cgi and picking up the corresponding
> template mirrors--xml.html ?
>
> -David
>

Yes, this should still work correctly:
http://ant.apache.org/ivy/ivyde/updatesite/eclipse-update--xml.cgi

if you see any CGIs not working, let the list know, I've been watching
the error logs and spot checking everywhere I can think of, and it
looks good so far.

Thanks,

Paul

Re: RFC: Disabling CGI on most VHosts

[David Crossley <cr...@apache.org>]

Paul Querna wrote:
> 
> Thoughts?

No time to check your work sorry.

Does that still enable the "xml" output variant?
.../mirrors--xml.cgi and picking up the corresponding
template mirrors--xml.html ?

-David

Re: RFC: Disabling CGI on most VHosts

["William A. Rowe, Jr." <wr...@rowe-clan.net>]

Paul Querna wrote:
> I did it:

guy... you were the only one doing anything this almost-holiday weekend,
I have to buy you a serious amount of beer at apachecon :)

Re: RFC: Disabling CGI on most VHosts

[J Aaron Farr <fa...@apache.org>]

On Sun 30 Aug 2009 10:50, Paul Querna <pa...@querna.org> wrote:

> If I don't hear of adverse side effects from this, I would like to
> Disable ExecCGI by default on /x1/www/* and re-enable it only for
> specific vhosts that don't have an alternative yet.
>
> Yes/no/maybe?

+1

-- 
   J. Aaron Farr
   馮傑仁
   www.cubiclemuses.com

RE: RFC: Disabling CGI on most VHosts

[Gavin <ga...@16degrees.com.au>]

> -----Original Message-----
> From: Paul Querna [mailto:paul@querna.org]
> Sent: Sunday, 30 August 2009 12:50 PM
> To: infrastructure-dev@apache.org
> Subject: Re: RFC: Disabling CGI on most VHosts
> 
> On Sat, Aug 29, 2009 at 12:43 PM, Paul Querna<pa...@querna.org> wrote:
> > Hi,
> > As putting RewriteRules in hundreds of places is potentially painful,
> > it might be reasonable to write a small Apache httpd module (heh,
> > heh), mod_asf_downloads, which would bind to the .cgi extension in
> > most vhosts.  It would scan the .cgi file for the mirrors.cgi
> > invocation, and if detected automatically rewrite the URL to
> > mirrors.cgi. (I'd estimate about 150 lines of C).    This would make
> > for a seamless 'upgrade' for most vhosts, and mean we could turn off
> > ExecCGI very soon, instead of asking for every TLP to change
> > something.
> 
> I did it:
> <http://apr.apache.org/download.cgi>
> Runs with ExecCGI OFF for apr.apache.org.
> 
> See
> <https://svn.apache.org/repos/infra/infrastructure/trunk/projects/mod_asf_
> mirrorcgi/mod_asf_mirrorcgi.c>
> for details.
> 
> If I don't hear of adverse side effects from this, I would like to
> Disable ExecCGI by default on /x1/www/* and re-enable it only for
> specific vhosts that don't have an alternative yet.
> 
> Yes/no/maybe?

Yes +1

Gav...

> 
> Thanks,
> 
> Paul

Re: RFC: Disabling CGI on most VHosts

[Norman Maurer <no...@apache.org>]

+1,
Norman

2009/8/30 Felix Meschberger <fm...@gmail.com>:
> Hi Paul
>
> <sling-pmc-chair hat="on">
>   Highly appreciated and very welcome.
>
>   +1
> </sling-pmc-chair>
>
> Thanks alot.
>
> Regards
> Felix
>
> Paul Querna schrieb:
>> On Sat, Aug 29, 2009 at 12:43 PM, Paul Querna<pa...@querna.org> wrote:
>>> Hi,
>>> As putting RewriteRules in hundreds of places is potentially painful,
>>> it might be reasonable to write a small Apache httpd module (heh,
>>> heh), mod_asf_downloads, which would bind to the .cgi extension in
>>> most vhosts.  It would scan the .cgi file for the mirrors.cgi
>>> invocation, and if detected automatically rewrite the URL to
>>> mirrors.cgi. (I'd estimate about 150 lines of C).    This would make
>>> for a seamless 'upgrade' for most vhosts, and mean we could turn off
>>> ExecCGI very soon, instead of asking for every TLP to change
>>> something.
>>
>> I did it:
>> <http://apr.apache.org/download.cgi>
>> Runs with ExecCGI OFF for apr.apache.org.
>>
>> See <https://svn.apache.org/repos/infra/infrastructure/trunk/projects/mod_asf_mirrorcgi/mod_asf_mirrorcgi.c>
>> for details.
>>
>> If I don't hear of adverse side effects from this, I would like to
>> Disable ExecCGI by default on /x1/www/* and re-enable it only for
>> specific vhosts that don't have an alternative yet.
>>
>> Yes/no/maybe?
>>
>> Thanks,
>>
>> Paul
>>
>

Re: RFC: Disabling CGI on most VHosts

[Felix Meschberger <fm...@gmail.com>]

Hi Paul

<sling-pmc-chair hat="on">
   Highly appreciated and very welcome.

   +1
</sling-pmc-chair>

Thanks alot.

Regards
Felix

Paul Querna schrieb:
> On Sat, Aug 29, 2009 at 12:43 PM, Paul Querna<pa...@querna.org> wrote:
>> Hi,
>> As putting RewriteRules in hundreds of places is potentially painful,
>> it might be reasonable to write a small Apache httpd module (heh,
>> heh), mod_asf_downloads, which would bind to the .cgi extension in
>> most vhosts.  It would scan the .cgi file for the mirrors.cgi
>> invocation, and if detected automatically rewrite the URL to
>> mirrors.cgi. (I'd estimate about 150 lines of C).    This would make
>> for a seamless 'upgrade' for most vhosts, and mean we could turn off
>> ExecCGI very soon, instead of asking for every TLP to change
>> something.
> 
> I did it:
> <http://apr.apache.org/download.cgi>
> Runs with ExecCGI OFF for apr.apache.org.
> 
> See <https://svn.apache.org/repos/infra/infrastructure/trunk/projects/mod_asf_mirrorcgi/mod_asf_mirrorcgi.c>
> for details.
> 
> If I don't hear of adverse side effects from this, I would like to
> Disable ExecCGI by default on /x1/www/* and re-enable it only for
> specific vhosts that don't have an alternative yet.
> 
> Yes/no/maybe?
> 
> Thanks,
> 
> Paul
> 

Re: RFC: Disabling CGI on most VHosts

[Paul Querna <pa...@querna.org>]

On Sat, Aug 29, 2009 at 12:43 PM, Paul Querna<pa...@querna.org> wrote:
> Hi,
> As putting RewriteRules in hundreds of places is potentially painful,
> it might be reasonable to write a small Apache httpd module (heh,
> heh), mod_asf_downloads, which would bind to the .cgi extension in
> most vhosts.  It would scan the .cgi file for the mirrors.cgi
> invocation, and if detected automatically rewrite the URL to
> mirrors.cgi. (I'd estimate about 150 lines of C).    This would make
> for a seamless 'upgrade' for most vhosts, and mean we could turn off
> ExecCGI very soon, instead of asking for every TLP to change
> something.

I did it:
<http://apr.apache.org/download.cgi>
Runs with ExecCGI OFF for apr.apache.org.

See <https://svn.apache.org/repos/infra/infrastructure/trunk/projects/mod_asf_mirrorcgi/mod_asf_mirrorcgi.c>
for details.

If I don't hear of adverse side effects from this, I would like to
Disable ExecCGI by default on /x1/www/* and re-enable it only for
specific vhosts that don't have an alternative yet.

Yes/no/maybe?

Thanks,

Paul