httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Boyle Owen" <>
Subject RE: [users@httpd] Can a miss-configuration leak source code?
Date Tue, 08 Jul 2003 07:17:48 GMT
>-----Original Message-----
>From: Jon Ryder []
>My Apache server is running happily and everything is
>working fine.  In order to use Perl/CGI scripts, I
>have uploaded all the scripts into a /cgi-bin/ and
>then used the ScriptAlias directive.  Also I have used
>the following.
><IfModule mod_mime.c>
>AddHandler cgi-script .cgi .pl
>I am worried I may one day make a small mistake,
>without noticing, which will leak the source code to
>the browser, say if I mapped a DocumentRoot to the
>cgi-bin by mistake?  But as I am using AddHandler
>cgi-script I take it, Apache will execute all .pl/.cgi
>(in my case above) whatever directory they are in, or
>whatever permission the files may have?

"whatever directory" - Yes.
"whatever permission" - No. Apache cannot force execution of a file if
the OS forbids it.

>Is the AddHandler on a per server directive or can it
>be changed per VirtualHost?

Harrumph - this can easily be answered by looking at the "Context" line
on the doc-page for the AddHandler directive... To save you the bother,
here it is:

	AddHandler directive
	Context: server config, virtual host, directory, .htaccess

So, yes, it can be set at server config level (as you have done) but
also at a lower level (VH, dir, .htaccess). Note carefully that later
directives *add* to previous ones if the extension is distinct, but
*overwrite* if the extension is the same. For example;

AddHandler cgi-script .pl .xyz
  AddHandler cgi-script .cgi
    AddHandler server-parsed .xyz

would mean that:

- in DIR_A of VH1, .pl and .cgi are CGIs and .xyz is SSI
- elsewhere in VH1, .pl, .cgi and .xyz are CGIs
- on all other VHs, .pl and .xyz are CGIs

If you're not careful, it *is* possible to misconfigure apache so that
your scripts are viewable. So you have to be careful. But that is always
the case with programming, so what's the problem?

Owen Boyle
Disclaimer: Any disclaimer attached to this message may be ignored. 

>Want to chat instantly with your online friends?  Get the FREE Yahoo!
>The official User-To-User support forum of the Apache HTTP 
>Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>   "   from the digest:
>For additional commands, e-mail:
Diese E-mail ist eine private und persönliche Kommunikation. Sie hat
keinen Bezug zur Börsen- bzw. Geschäftstätigkeit der SWX Swiss Exchange.
This e-mail is of a private and personal nature. It is not related to
the exchange or business activities of the SWX Swiss Exchange. Le
présent e-mail est un message privé et personnel, sans rapport avec
l'activité boursière de la SWX Swiss Exchange.

This message is for the named person's use only. It may contain
confidential, proprietary or legally privileged information. No
confidentiality or privilege is waived or lost by any mistransmission.
If you receive this message in error, please notify the sender urgently
and then immediately delete the message and any copies of it from your
system. Please also immediately destroy any hardcopies of the message.
You must not, directly or indirectly, use, disclose, distribute, print,
or copy any part of this message if you are not the intended recipient.
The sender's company reserves the right to monitor all e-mail
communications through their networks. Any views expressed in this
message are those of the individual sender, except where the message
states otherwise and the sender is authorised to state them to be the
views of the sender's company. 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message