Return-Path: Delivered-To: apmail-httpd-users-archive@www.apache.org Received: (qmail 56458 invoked from network); 20 Aug 2004 19:09:26 -0000 Received: from hermes.apache.org (HELO mail.apache.org) (209.237.227.199) by minotaur-2.apache.org with SMTP; 20 Aug 2004 19:09:26 -0000 Received: (qmail 68857 invoked by uid 500); 20 Aug 2004 19:09:09 -0000 Delivered-To: apmail-httpd-users-archive@httpd.apache.org Received: (qmail 68847 invoked by uid 500); 20 Aug 2004 19:09:09 -0000 Mailing-List: contact users-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: users@httpd.apache.org list-help: list-unsubscribe: list-post: Delivered-To: mailing list users@httpd.apache.org Received: (qmail 68834 invoked by uid 99); 20 Aug 2004 19:09:09 -0000 X-ASF-Spam-Status: No, hits=2.6 required=10.0 tests=HELO_DYNAMIC_IPADDR X-Spam-Check-By: apache.org Received: from [142.179.101.223] (HELO s142-179-101-223.bc.hsia.telus.net) (142.179.101.223) by apache.org (qpsmtpd/0.27.1) with ESMTP; Fri, 20 Aug 2004 12:09:06 -0700 Received: from L19.kwinternet.com (unknown [192.168.0.163]) by s142-179-101-223.bc.hsia.telus.net (Postfix) with ESMTP id 2B7CD200 for ; Fri, 20 Aug 2004 12:09:11 -0700 (PDT) Message-Id: <6.1.1.1.2.20040820120320.02f13ff8@mail.kwinternet.com> X-Sender: ef@mail.kwinternet.com X-Mailer: QUALCOMM Windows Eudora Version 6.1.1.1 Date: Fri, 20 Aug 2004 12:10:08 -0700 To: users@httpd.apache.org From: Eric In-Reply-To: References: <412641D0.7020902@davyandbeth.com> Mime-Version: 1.0 Content-Type: text/plain; charset="us-ascii"; format=flowed X-Virus-Checked: Checked Subject: Re: [users@httpd] disabling all cgi X-Spam-Rating: minotaur-2.apache.org 1.6.2 0/1000/N Hi, That is a very interesting problem. My first thought was, well of course you can just remove mod_cgi and mod_php, but then the rest of your site will not work :) But you could setup an Apache that is compiled without any dynamic modules including mod_cgi and then use mod_rewrite to make it seem a part of your site. ProxyPass /uploads/ http://localhost:8080/uploads/ ProxyPassReverse /uploads/ http://localhost:8080/uploads/ Just a thought.. Joshua, I was interested to learn that -ExecCGI gets ignored sometimes, which modules do that? Eric direct from your main apache to the "safe" apache. At 11:44 AM 8/20/2004, you wrote: >On Fri, 20 Aug 2004 13:24:16 -0500, Davy Durham >wrote: > > Hi, > > I'm developing a part of my site where users will be able to > > upload/download files via http. However, currently if a user were to > > upload for instance a .php file then it executes it. > > > > QUESTION: Is there a blanket way to disable execution of anything? > >I don't think so. > >In a perfect world, you could simply >SetHandler default-handler >RemoveOutputFilter * >Option -ExecCGI > >But many modules deviously use "magic" mime-types which activate >handlers in the background, the RemoveOutputFilter directive doesn't >work like that, and not all modules honour the ExecCGI flag. > >So I think you are pretty-much stuck handling each >dynamic-content-source separately. > >Joshua. > >--------------------------------------------------------------------- >The official User-To-User support forum of the Apache HTTP Server Project. >See for more info. >To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org > " from the digest: users-digest-unsubscribe@httpd.apache.org >For additional commands, e-mail: users-help@httpd.apache.org Lead Programmer D.M. Contact Management 250.383.8267 ext 229 --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See for more info. To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org " from the digest: users-digest-unsubscribe@httpd.apache.org For additional commands, e-mail: users-help@httpd.apache.org