httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Purl Gurl <>
Subject Re: [users@httpd] Setting environment variables based on query string specifics
Date Tue, 18 May 2004 03:32:42 GMT
Tom wrote:

(snipped for brevity)

> I have a CGI binary running in Apache.  The executable runs differently
> based on configuration files, i.e.
> http://localhost/cgi-bin/ ...

> ...will behave differently than:
> http://localhost/cgi-bin/ ...
> We would like to conceal this environment variable as it points to a file
> path.

Tom, I looked at variables which are hooked into set environment.
My hope was to find a variable which could be used easily and
not disclose your sensitive data. Etag caught my eye, but further
research discloses this would not be a good choice.

Concealing URL data, query string data, is always challenging.
Even when you can hide this from a browser, there are ways
to discover the data, such as sniffing the stream. Proxitron
has a nice feature for this, which is not nice for you.

What I always do, literally, to conceal sensitive data, is to
"secret code" my data, pump it into a cgi application, then
return results to a browser.

A simple example,

http .. url?input=a
http .. url?input=b
http .. url?input=c

A client only sees the a, b and c part of the query. Some
security risks there, but acceptable.

Within my cgi application, the query string is parsed,
my "secret code" translated to arguments, another program
is excuted and returns are then printed to the client. 

You have a single cgi application which accepts input
from any number of pages, form actions, query strings,
whatever, a single application which performs all the
work while concealing arguments and locations. This
is a "middle man" approach, which is what cgi does best.

I am not sure using Apache for this is your best option.
You could use Apache, could use rewrite rules or other
methods, but I think you will find this not efficient
and rather challenging to establish, with security.

There is really only one method, of which I know, to
conceal this type of data specific to your circumstances.
This method is to keep your client outside, keep data
completely internal and well protected.

Maybe others know of methods and will share them.


The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message