httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Andrew Ho <>
Subject Re: Need a new feature: Listing of CGI-enabled directories.
Date Fri, 31 May 2002 16:06:16 GMT

RG>With regards to this it would be most helpful if I could get Apache,
RG>which already has code to parse and analyze Apache configuration files,
RG>to simply spit out a list of all of the CGI-enabled directories that are
RG>specified in a given http.conf file to, say, stdout.

The reason you can't do this easily is because Apache doesn't work this
way. It doesn't ever build up a big list of every directory that has
permission to do foo or bar capability. In real time, it takes requests,
and then it compares those requests against a set of rules to decide
whether foo or bar capability is called for.

I doubt it is a good idea to include this functionality in Apache.

RL>mod_info will tell you some of this. ie. Look for ScriptAlias lines under
RL>mod_alias.c and AddHandler cgi-script lines under mod_mime.c.

RG>I was hoping to find a volunteer to actually hack on this for me. I am
RG>_not_ well versed in Apache internals myself.

So as Rasmus points out, you can parse configuration information either
manually or automatically to achieve a similar goal.

I recommend parsing httpd.conf instead using a script of your own
devising. There are some Perl scripts written by the mod_perl crowd which
will take you 95% of the way to getting good parsing. Try looking on CPAN
for the Apache::ConfigParser or Apache::Admin::Config modules.

But note that the best that you can do is to spit out a big list of files
and directories, which you then must scan the filesystem for using "find"
or an equivalent anyway. And during that scanning you'll have to worry
about whether to, for example, FollowSymLinks.

RG>In the case of FormMail scripts, if the big web hosting companies can
RG>just scan all of their CGI directories for them every night and then
RG>simply `rm' or `chmod 0000' anything found by the scans of the previous
RG>night every morning, then that will be about 99.9% sufficent to
RG>eliminate the problem.

I think the question is, if all your VirtualHost DocumentRoots and
ScriptAliases are under one big tree anyway, why not scan the entire tree
and be more confident, rather than scanning a subset of it which may not
be that much bigger?

If it is known that ScriptAliases and directories with ExecCGI enabled are
rare, and always have FollowSymLinks disabled, then I suggest the parsing
approach mentioned above.



Andrew Ho     
Engineer                   Voice 650-930-9062
Tellme Networks, Inc.       1-800-555-TELL            Fax 650-930-9101

View raw message