You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@httpd.apache.org by David Christensen <dp...@holgerdanske.com> on 2003/10/04 08:10:23 UTC

[users@httpd] protecting non-script files in public_html/cgi-bin/ via .htaccess

hello, world!

I am doing some CGI development for a site on a shared hosting service
that puts the CGI directory under the virtual host's DocumentRoot (e.g.
~/public_html/cgi-bin/).  The server is configured such that requests to
"http://my.domain.com/cgi-bin/non-script-file" result in
"non-script-file" being displayed in the  browser.  I would like to
prevent such.

So, I RTFM and came up with the following .htaccess file and placed it
in the CGI directory on my development server:

    dpchrist@d3020g:~/public_html/cgi-bin:CVS> ll .htaccess
    -rw-r--r--    1 dpchrist dpchrist       95 Oct  3 22:49 .htaccess

    dpchrist@d3020g:~/public_html/cgi-bin:CVS> cat .htaccess
    <Files "*.pl">
        Order allow,deny
        Allow from all
    </Files>
    Order deny,allow
    Deny from all

It seems to have the desired effect (Perl CGI scripts work, but user
gets "403 Forbidden" for all other files).

Is this a robust solution, or just newbie wishful thinking?

TIA,

David


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] protecting non-script files in public_html/cgi-bin/ via .htaccess

Posted by David Christensen <dp...@holgerdanske.com>.

users@httpd.apache.org:

Nikolaus Schmitt wrote:
> to make it more "robust", i wouldn't use a user accessible ".htaccess"
> file.

I *am* the user.  I do not have access to httpd.conf, only to .htaccess.


David



---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org

Re: [users@httpd] protecting non-script files in public_html/cgi-bin/ via .htaccess

Posted by Nikolaus Schmitt <n....@scaet.de>.

Hi,
to make it more "robust", i wouldn't use a user accessible ".htaccess" file.
It's possible to nest the "<Files>" block inside a "<Location>" block within
the virtual hosts definition. Using "mod_rewrite" - alone or in combination
with "location" and "type" access rules - can give a much finer control an
what content is accessible from "user writeable file areas". Choose a
reasonable level of "robustness" and "security" ...
Regards
Niko


----- Original Message -----
From: "David Christensen" <dp...@holgerdanske.com>
To: <us...@httpd.apache.org>
Sent: Saturday, October 04, 2003 8:10 AM
Subject: [users@httpd] protecting non-script files in public_html/cgi-bin/
via .htaccess


> hello, world!
>
> I am doing some CGI development for a site on a shared hosting service
> that puts the CGI directory under the virtual host's DocumentRoot (e.g.
> ~/public_html/cgi-bin/).  The server is configured such that requests to
> "http://my.domain.com/cgi-bin/non-script-file" result in
> "non-script-file" being displayed in the  browser.  I would like to
> prevent such.
>
> So, I RTFM and came up with the following .htaccess file and placed it
> in the CGI directory on my development server:
>
>     dpchrist@d3020g:~/public_html/cgi-bin:CVS> ll .htaccess
>     -rw-r--r--    1 dpchrist dpchrist       95 Oct  3 22:49 .htaccess
>
>     dpchrist@d3020g:~/public_html/cgi-bin:CVS> cat .htaccess
>     <Files "*.pl">
>         Order allow,deny
>         Allow from all
>     </Files>
>     Order deny,allow
>     Deny from all
>
> It seems to have the desired effect (Perl CGI scripts work, but user
> gets "403 Forbidden" for all other files).
>
> Is this a robust solution, or just newbie wishful thinking?
>
> TIA,
>
> David
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
>    "   from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org