httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Joshua Slive <jsl...@gmail.com>
Subject Re: [users@httpd] Restricted directories
Date Tue, 22 Nov 2005 00:15:54 GMT
On 11/21/05, Brent Herring <brenth@uca.edu> wrote:

> >> The problem is this: Many pages on the web site are accessed by a Perl
> >> script. The script writes out the page template that is the same for all the
> >> pages on the site, and then reads in the data for each individual page
> >> from individual html files on the server. If you attempt to access a file in
> >> the restricted directory using the script the web server directory restrictions
> >> are ignored and the file is displayed.

> The script is accessed by a URL link such as this...
>
>         http://it.uca.edu/cgi-bin/cs.pl?DF=helpdesk.html
>
>
> The script reads in the file like this...
>
> open(inputfile, "<",$htmldir . $datafile);
> @data = <inputfile>;
> close(inputfile);
> foreach $line (@data)
>         {
>         print $line;
>         }
>
> There are no errors in the log because no error occurs. There is no configuration within
the script. It is of the simplest form. It merely reads a file and writes text to the output.
>
> The directory is restricted with the following Apache configuration entry
>
> <Directory /srv/www/htdocs/restricted>
> Order Deny,Allow
> Deny from all
> Allow from 161.31.66
> </Directory>

Ok.  That's clearer.

In this case, there is nothing that apache can do.  The script is
accessing the files directly through the file-system, and therefore no
apache controls will have any effect.  The typical way to address that
is to take the files out of the document root (so they are not
directly accessible from the web at all, and hence do not need
protection in the apache config) and then impliment the necessary
access controls as part of the perl script.

An alternative is to use something like mod_rewrite, which can look at
the query string and do access restrictions based on what it sees
there.  But I wouldn't recommend this solution, since it could get
very complication.

Joshua.

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message