You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@httpd.apache.org by David Christensen <dp...@holgerdanske.com> on 2003/10/04 08:10:23 UTC
[users@httpd] protecting non-script files in public_html/cgi-bin/ via .htaccess
hello, world!
I am doing some CGI development for a site on a shared hosting service
that puts the CGI directory under the virtual host's DocumentRoot (e.g.
~/public_html/cgi-bin/). The server is configured such that requests to
"http://my.domain.com/cgi-bin/non-script-file" result in
"non-script-file" being displayed in the browser. I would like to
prevent such.
So, I RTFM and came up with the following .htaccess file and placed it
in the CGI directory on my development server:
dpchrist@d3020g:~/public_html/cgi-bin:CVS> ll .htaccess
-rw-r--r-- 1 dpchrist dpchrist 95 Oct 3 22:49 .htaccess
dpchrist@d3020g:~/public_html/cgi-bin:CVS> cat .htaccess
<Files "*.pl">
Order allow,deny
Allow from all
</Files>
Order deny,allow
Deny from all
It seems to have the desired effect (Perl CGI scripts work, but user
gets "403 Forbidden" for all other files).
Is this a robust solution, or just newbie wishful thinking?
TIA,
David
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] protecting non-script files in public_html/cgi-bin/ via .htaccess
Posted by David Christensen <dp...@holgerdanske.com>.
users@httpd.apache.org:
Nikolaus Schmitt wrote:
> to make it more "robust", i wouldn't use a user accessible ".htaccess"
> file.
I *am* the user. I do not have access to httpd.conf, only to .htaccess.
David
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org
Re: [users@httpd] protecting non-script files in public_html/cgi-bin/ via .htaccess
Posted by Nikolaus Schmitt <n....@scaet.de>.
Hi,
to make it more "robust", i wouldn't use a user accessible ".htaccess" file.
It's possible to nest the "<Files>" block inside a "<Location>" block within
the virtual hosts definition. Using "mod_rewrite" - alone or in combination
with "location" and "type" access rules - can give a much finer control an
what content is accessible from "user writeable file areas". Choose a
reasonable level of "robustness" and "security" ...
Regards
Niko
----- Original Message -----
From: "David Christensen" <dp...@holgerdanske.com>
To: <us...@httpd.apache.org>
Sent: Saturday, October 04, 2003 8:10 AM
Subject: [users@httpd] protecting non-script files in public_html/cgi-bin/
via .htaccess
> hello, world!
>
> I am doing some CGI development for a site on a shared hosting service
> that puts the CGI directory under the virtual host's DocumentRoot (e.g.
> ~/public_html/cgi-bin/). The server is configured such that requests to
> "http://my.domain.com/cgi-bin/non-script-file" result in
> "non-script-file" being displayed in the browser. I would like to
> prevent such.
>
> So, I RTFM and came up with the following .htaccess file and placed it
> in the CGI directory on my development server:
>
> dpchrist@d3020g:~/public_html/cgi-bin:CVS> ll .htaccess
> -rw-r--r-- 1 dpchrist dpchrist 95 Oct 3 22:49 .htaccess
>
> dpchrist@d3020g:~/public_html/cgi-bin:CVS> cat .htaccess
> <Files "*.pl">
> Order allow,deny
> Allow from all
> </Files>
> Order deny,allow
> Deny from all
>
> It seems to have the desired effect (Perl CGI scripts work, but user
> gets "403 Forbidden" for all other files).
>
> Is this a robust solution, or just newbie wishful thinking?
>
> TIA,
>
> David
>
>
> ---------------------------------------------------------------------
> The official User-To-User support forum of the Apache HTTP Server Project.
> See <URL:http://httpd.apache.org/userslist.html> for more info.
> To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
> " from the digest: users-digest-unsubscribe@httpd.apache.org
> For additional commands, e-mail: users-help@httpd.apache.org
>
>
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
" from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org