httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Jason Vas Dias <jason.vas.d...@gmail.com>
Subject Re: [users@httpd] Re: denying access to SSI fragments
Date Wed, 06 Apr 2011 18:24:52 GMT
And, in briefly re-examing my reason for developing this module,  here's 
what happens when, on a stock freshly installed httpd-2.2.17-1.fc14.x86_64 
FC-14 setup, I try to do :

 in /etc/httpd/conf/httpd.conf :
  @line 320:
<Directory "/var/www/html">

#
# Possible values for the Options directive are "None", "All",
# or any combination of:
#   Indexes Includes FollowSymLinks SymLinksifOwnerMatch ExecCGI MultiViews
#
# Note that "MultiViews" must be named *explicitly* --- "Options All"
# doesn't give it to you.
#
# The Options directive is both complicated and important.  Please see
# http://httpd.apache.org/docs/2.2/mod/core.html#options
# for more information.
#
    XBitHack on
    Options Indexes FollowSymLinks Includes


And then create /var/www/html/test_inc.html :

$ echo '<!--#include file="/var/www/include/test.inc"-->
' > /var/www/html/test_inc.html
$ chown apache:apache /var/www/html/test_inc.html; chmod 0755 /var/www/html/test_inc.html
;
and then create /var/www/include/test.inc :
$ echo 'html>
<head>
<title> It worked!</title>
</head>
</html>
' > /var/www/include/test.inc
$ chown apache:apache /var/www/include/test.inc; chmod 0644  /var/www/include/test.inc
$ curl http://127.0.0.1/html/test_inc.html
[Wed Apr 06 18:13:43 2011] [error] [client 127.0.0.1] unable to include file "/var/www/include/test.inc"
in parsed file /var/www/html/test_inc.html
[an error occurred while processing this directive]

Gee, what an informative error message ! (I was doing 'tail -f /var/log/http/error_log &')
. 

This is because there is no "<Directory> ... </Directory>" entry for "/var/www/include"
. 
So standard apache SSI  can't work even if my scripts use absolute URLs  - my
include directory MUST be in some  '<Directory>...</Directory>' - but I don't
want to provide any HTTP/S access to SSI fragments - so how can I put them 
in a non-'<Directory>...</Directory>' location ?

So to me it is just easier to develop the 'ssi-fragment' mime-type handler module ,
which enables SSI to be used freely ,  safely and efficiently by scripts without 
letting all-and-sundry access SSI fragments which may be security sensitive
outside their containing documents.

My ssi-fragment module has been working OK for some months now on my client's web-server -

I'll check with my client to see if it's OK to make it open-source , and if so,
will post it here or to 'apache-contrib' - I can't find anything else that does the job .

All the best,
Jason

---------------------------------------------------------------------
The official User-To-User support forum of the Apache HTTP Server Project.
See <URL:http://httpd.apache.org/userslist.html> for more info.
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
   "   from the digest: users-digest-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@httpd.apache.org


Mime
View raw message