httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Eric>
Subject Re: [users@httpd] disabling all cgi
Date Fri, 20 Aug 2004 19:10:08 GMT

That is a very interesting problem. My first thought was, well of course 
you can just remove mod_cgi and mod_php, but then the rest of your site 
will not work :) But you could setup an Apache that is compiled without any 
dynamic modules including mod_cgi and then use mod_rewrite to make it seem 
a part of your site.

ProxyPass        /uploads/ http://localhost:8080/uploads/
ProxyPassReverse /uploads/ http://localhost:8080/uploads/

Just a thought..

Joshua, I was interested to learn that -ExecCGI gets ignored sometimes, 
which modules do that?


direct from your main apache to the "safe" apache.

At 11:44 AM 8/20/2004, you wrote:
>On Fri, 20 Aug 2004 13:24:16 -0500, Davy Durham <> 
> > Hi,
> >   I'm developing a part of my site where users will be able to
> > upload/download files via http.  However, currently if a user were to
> > upload for instance a .php file then it executes it.
> >
> > QUESTION: Is there a blanket way to disable execution of anything?
>I don't think so.
>In a perfect world, you could simply
>SetHandler default-handler
>RemoveOutputFilter *
>Option -ExecCGI
>But many modules deviously use "magic" mime-types which activate
>handlers in the background, the RemoveOutputFilter directive doesn't
>work like that, and not all modules honour the ExecCGI flag.
>So I think you are pretty-much stuck handling each
>dynamic-content-source separately.
>The official User-To-User support forum of the Apache HTTP Server Project.
>See <URL:> for more info.
>To unsubscribe, e-mail:
>    "   from the digest:
>For additional commands, e-mail:

Lead Programmer
D.M. Contact Management
250.383.8267 ext 229 

The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:> for more info.
To unsubscribe, e-mail:
   "   from the digest:
For additional commands, e-mail:

View raw message