httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Glenn ...@netspace.org>
Subject [PATCH] modify httpd.conf-dist defaults
Date Tue, 24 Jun 2003 23:20:29 GMT
Might be too late for 1.3.28, but I'd love some comments.

- Changes defaults to disallow access to files unless explicitly allowed.
- Turns off CGICommandArgs
  I haven't seen any scripts that still use this, but have come across
  more than a handful of scripts that were vulnerable.  And this is the
  reason that PHP jumps through so many hoops in its CGI mode.  It is
  counterintuitive that environment variables would override command line
  arguments in PHP, but the default of CGICommandArgs on is the reason.
- On unix httpd-conf-dist, does not allow Emacs autosave or temporary files
  to be served (along with not allowing .ht* files).  Emacs keeps the same
  permission on its temp files, which is a poor choice.  (vi restricts
  permission to owner on its .swp files.)  Also gives a commented out example
  that additionally disallows *.bak, *.old, *.so, *.a, and *.o files.

OAM, would someone please give some feedback on the server-side include
patches for Apache2 that I posted last month?  Thanks.

Cheers,
Glenn


diff -ru apache_1.3.27/conf/highperformance.conf-dist apache_1.3.27.new/conf/highperformance.conf-dist
--- apache_1.3.27/conf/highperformance.conf-dist	2001-08-29 09:32:07.000000000 -0400
+++ apache_1.3.27.new/conf/highperformance.conf-dist	2003-06-24 14:00:04.000000000 -0400
@@ -33,14 +33,18 @@
 # this if you need logging.
 #TransferLog logs/access_log
 
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+#  an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
 # Disable symlink protection and htaccess files, they chew far too much.
 <Directory />
     AllowOverride none
     Options FollowSymLinks
-    # If this was a real internet server you'd probably want to
-    # uncomment these:
-    #order deny,allow
-    #deny from all
+    order deny,allow
+    deny from all
+    # you'll need to "allow" access to files you want to serve.  see below
 </Directory>
 
 # If this was a real internet server you'd probably want to uncomment this:
diff -ru apache_1.3.27/conf/httpd.conf-dist apache_1.3.27.new/conf/httpd.conf-dist
--- apache_1.3.27/conf/httpd.conf-dist	2002-09-04 00:39:41.000000000 -0400
+++ apache_1.3.27.new/conf/httpd.conf-dist	2003-06-24 14:16:31.000000000 -0400
@@ -289,6 +289,7 @@
 <Directory />
     Options FollowSymLinks
     AllowOverride None
+    deny from all
 </Directory>
 
 #
@@ -376,7 +377,8 @@
 # Also, folks tend to use names such as .htpasswd for password
 # files, so this will protect those as well.
 #
-<Files ~ "^\.ht">
+#<Files ~ "^\.ht|^#.*#$|~$|\.bak$|\.old$|\.so$|\.a$|\.o$">
+<Files ~ "^\.ht|^#.*#$|~$">
     Order allow,deny
     Deny from all
     Satisfy All
@@ -523,6 +525,12 @@
 # EBCDICConvertByType Off=InOut */*
 
 
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+#  an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
+
 #
 # Aliases: Add here as many aliases as you need (with no limit). The format is 
 # Alias fakename realname
diff -ru apache_1.3.27/conf/httpd.conf-dist-nw apache_1.3.27.new/conf/httpd.conf-dist-nw
--- apache_1.3.27/conf/httpd.conf-dist-nw	2002-09-13 18:02:48.000000000 -0400
+++ apache_1.3.27.new/conf/httpd.conf-dist-nw	2003-06-24 14:03:58.000000000 -0400
@@ -249,6 +249,7 @@
 <Directory />
     Options FollowSymLinks
     AllowOverride None
+    deny from all
 </Directory>
 
 #
@@ -469,6 +470,11 @@
 #
 ServerSignature On
 
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+#  an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
 #
 # Aliases: Add here as many aliases as you need (with no limit). The format is 
 # Alias fakename realname
diff -ru apache_1.3.27/conf/httpd.conf-dist-win apache_1.3.27.new/conf/httpd.conf-dist-win
--- apache_1.3.27/conf/httpd.conf-dist-win	2002-09-04 00:39:41.000000000 -0400
+++ apache_1.3.27.new/conf/httpd.conf-dist-win	2003-06-24 14:03:24.000000000 -0400
@@ -311,6 +311,7 @@
 <Directory />
     Options FollowSymLinks
     AllowOverride None
+    deny from all
 </Directory>
 
 #
@@ -564,6 +565,11 @@
 # (Unix behavior) option, and will override this server default option.
 #
 
+# Never pass query string arguments as command line arguments to CGI.
+# (Args are passed on the command line if the query string does not contain
+#  an '=' and CGICommandArgs on, the default if omitted for backwards compat)
+CGICommandArgs off
+
 #
 # Aliases: Add here as many aliases as you need (with no limit). The format is 
 # Alias fakename realname

Mime
View raw message