httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Rich Pinder <rpin...@usc.edu>
Subject Re: [users@httpd] Hiding contents of .py script files
Date Mon, 20 Sep 2004 20:33:51 GMT
<!DOCTYPE html PUBLIC "-//W3C//DTD HTML 4.01 Transitional//EN">
<html>
<head>
  <meta content="text/html;charset=ISO-8859-1" http-equiv="Content-Type">
  <title></title>
</head>
<body bgcolor="#ffffff" text="#000000">
Thanks for this idea.<br>
<br>
I tried this&nbsp; (but still can view the page(s)):<br>
<br>
<blockquote type="cite"><tt>&lt;Files ~ "^\.py"&gt;<br>
&nbsp;&nbsp;&nbsp; Order allow,deny<br>
&nbsp;&nbsp;&nbsp; Deny from all<br>
&nbsp;&nbsp;&nbsp; Satisfy All<br>
&lt;/Files&gt;</tt></blockquote>
<br>
I also used&nbsp; "^\*.py"&nbsp;&nbsp; - am I missing something here ??&nbsp;
The files I'm
trying to hide all have the .py extension.<br>
<br>
I also discovered something quite odd.&nbsp; I use rewrite rules to use
HTTPS for this site, and force all users to be redirected to https.<br>
But the ONLY time the contents of this script file is shown is when you
enter the full, NON https url, into the browser. If I enter it using&nbsp;
https, I get the 404 returned.<br>
Very odd.<br>
<br>
Rich<br>
<br>
Wick, Daniel wrote:<br>
<blockquote
 cite="mid11864A3328DDD5119DE70002A540D64A0F8328DF@ntblm16.dci.com"
 type="cite">
  <pre wrap="">Rich,

In the sample httpd.conf file it shows how to do this.  See:

#
# The following lines prevent .htaccess and .htpasswd files from being 
# viewed by Web clients. 
#
&lt;Files ~ "^\.ht"&gt;
    Order allow,deny
    Deny from all
&lt;/Files&gt;

Just add another &lt;Files&gt; to match the regex to match your .py files.

-Dan

  </pre>
  <blockquote type="cite">
    <pre wrap="">-----Original Message-----
From: Rich Pinder [<a class="moz-txt-link-freetext" href="mailto:rpinder@usc.edu">mailto:rpinder@usc.edu</a>]
Sent: Monday, September 20, 2004 3:08 PM
To: <a class="moz-txt-link-abbreviated" href="mailto:users@httpd.apache.org">users@httpd.apache.org</a>
Subject: [users@httpd] Hiding contents of .py script files


I'm using Apache 1.3 with Python (Kinterbas) to access a 
Firebird database.

The .py script resides in a directory under the document 
root.  If you 
enter the full url to the script file, the browser returns a textual 
representation of the script  (complete with all my connection string 
info &amp; password into the database !)

What is a suggested way to disallow this ??  Can I add 
something to the 
.conf file that renders all .py scripts 'non browserable' ??  
I believe 
there was (good?) reason that the script files are under the 
document root.

thanks for your help

rich

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP 
Server Project.
See <a class="moz-txt-link-rfc1738" href="http://httpd.apache.org/userslist.html">&lt;URL:http://httpd.apache.org/userslist.html&gt;</a>
for more info.
To unsubscribe, e-mail: <a class="moz-txt-link-abbreviated" href="mailto:users-unsubscribe@httpd.apache.org">users-unsubscribe@httpd.apache.org</a>
   "   from the digest: <a class="moz-txt-link-abbreviated" href="mailto:users-digest-unsubscribe@httpd.apache.org">users-digest-unsubscribe@httpd.apache.org</a>
For additional commands, e-mail: <a class="moz-txt-link-abbreviated" href="mailto:users-help@httpd.apache.org">users-help@httpd.apache.org</a>

    </pre>
  </blockquote>
  <pre wrap=""><!---->
---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <a class="moz-txt-link-rfc1738" href="http://httpd.apache.org/userslist.html">&lt;URL:http://httpd.apache.org/userslist.html&gt;</a>
for more info.
To unsubscribe, e-mail: <a class="moz-txt-link-abbreviated" href="mailto:users-unsubscribe@httpd.apache.org">users-unsubscribe@httpd.apache.org</a>
   "   from the digest: <a class="moz-txt-link-abbreviated" href="mailto:users-digest-unsubscribe@httpd.apache.org">users-digest-unsubscribe@httpd.apache.org</a>
For additional commands, e-mail: <a class="moz-txt-link-abbreviated" href="mailto:users-help@httpd.apache.org">users-help@httpd.apache.org</a>


  </pre>
</blockquote>
</body>
</html>

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message