You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by Richard Crawford <rc...@unexmail.ucdavis.edu> on 2003/06/14 00:03:36 UTC

[users@httpd] Perl not working... not as resolved as I thought

It was pointed out to me that if the server is set up such that someone can 
view the source code for our Perl scripts, our security is dangerous.

So what I need to do is figure out a way to make sure that requests for 
scripts by url are executed, so that their source code isn't revealed.

The scripts could be invoked by either:

http://www.thisisoursite.com/script.pl

or

http://www.thisisoursite.com/cfmx/script.pl

where cfmx is the context root which is required for Cold Fusion or JSP to 
run.  Currently if the scripts are invoked with the cfmx in place, then the 
source code is revealed.  Is there a way to avoid this?


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] Perl not working... not as resolved as I thought

Posted by Robert Andersson <ro...@profundis.nu>.

Richard Crawford wrote:
> It was pointed out to me that if the server is set up such that someone
can
> view the source code for our Perl scripts, our security is dangerous.

It sure is...

> The scripts could be invoked by either:
>
> http://www.thisisoursite.com/script.pl
>
> or
>
> http://www.thisisoursite.com/cfmx/script.pl
>
> where cfmx is the context root which is required for Cold Fusion or JSP to
> run.  Currently if the scripts are invoked with the cfmx in place, then
the
> source code is revealed.  Is there a way to avoid this?

I don't know much of CF or JSP, so I can't tell the best way around it, so
I'll give you a few choices:

1) If /cfmx/ shouldn't be accessed by a HTTP request, you could:

<Directory /path/to/cfmx>
    Order Allow,Deny
    Deny from all
</Directory>

2) If you know all the scripts' file extension, you could:

<Directory /path/to/cfmx>
    <Files ~ "\.pl">
        Order allow,deny
        Deny from all
    </Files>
</Directory>

If, which I fear, /cfmx/ is actually the same filesystem directory, the
above methods may not work, so these methods are perhaps better:

3) Let the scripts be executed instead:

<Directory /path/to/cfmx>
    Options +ExecCGI
</Directory>

4) Or, deny access:

<Location ^/cfmx/.+\.pl$>
        Order allow,deny
        Deny from all
</Location>

Without a better understanding of your setup, I cannot suggest better
methods, although I am sure others can.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org