httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Robert Andersson" <rob...@profundis.nu>
Subject Re: [users@httpd] Perl not working... not as resolved as I thought
Date Mon, 16 Jun 2003 04:47:57 GMT
Richard Crawford wrote:
> It was pointed out to me that if the server is set up such that someone
can
> view the source code for our Perl scripts, our security is dangerous.

It sure is...

> The scripts could be invoked by either:
>
> http://www.thisisoursite.com/script.pl
>
> or
>
> http://www.thisisoursite.com/cfmx/script.pl
>
> where cfmx is the context root which is required for Cold Fusion or JSP to
> run.  Currently if the scripts are invoked with the cfmx in place, then
the
> source code is revealed.  Is there a way to avoid this?

I don't know much of CF or JSP, so I can't tell the best way around it, so
I'll give you a few choices:

1) If /cfmx/ shouldn't be accessed by a HTTP request, you could:

<Directory /path/to/cfmx>
    Order Allow,Deny
    Deny from all
</Directory>

2) If you know all the scripts' file extension, you could:

<Directory /path/to/cfmx>
    <Files ~ "\.pl">
        Order allow,deny
        Deny from all
    </Files>
</Directory>

If, which I fear, /cfmx/ is actually the same filesystem directory, the
above methods may not work, so these methods are perhaps better:

3) Let the scripts be executed instead:

<Directory /path/to/cfmx>
    Options +ExecCGI
</Directory>

4) Or, deny access:

<Location ^/cfmx/.+\.pl$>
        Order allow,deny
        Deny from all
</Location>

Without a better understanding of your setup, I cannot suggest better
methods, although I am sure others can.

Regards,
Robert Andersson


---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message