httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: Is "AllowOverride Options" dangerous?
Date Fri, 28 Jun 2002 14:15:04 GMT
The original question was how to prevent users from switching on CGI execution by putting something

	Options +ExecCGI
	AddHandler cgi-script .cgi

into a .htaccess file (assuming you had already allowed .htaccess with an "AllowOverride Options"
in the server config).

Despite what the documentation states, it appears that you can't use "AddHandler" in a .htaccess
(I get "AddHandler not allowed here"). So nothing to worry about unless you happen to have
this directive at server level already. If so, you can still force CGIs to be disabled in
user directories by using "RemoveHandler". E.g. if you have:

	AddHandler cgi-script .cgi
	<Directory /home/users>
	  AllowOverride Options
	  RemoveHandler .cgi

Then you will allow .cgi to be parsed as a CGI everywhere *except* inside /home/users and
the dastardly user's designs on programming will be foiled!


owen Boyle.

To unsubscribe, e-mail:
For additional commands, e-mail:

View raw message