httpd-users mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Christoph Anton Mitterer <cales...@scientia.net>
Subject [users@httpd] how to limit usage (not location) of (specific) cgi scripts to <Direcotries>
Date Sat, 31 Dec 2011 02:01:41 GMT
Hi.

Is it somehow possible to limit the _usage_ of cgi-scripts to one
<Directory> or <Location>.
I do not mean the _location_ of the cgi-scripts themselves (which can be
limited e.g. via ScriptAlias).



Here's the case:

I have a vhost, where PHP shall be enabled for a single <Directory>, but
only for this directory.
This is easy:

<VirtualHost ...>

	ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/

	<Directory foo>
		Action application/x-httpd-php /cgi-bin/php5
	</Directory>

	<Directory bar>
		...
	</Directory>

</VirtualHost>

Now .php files in foo, are interpreted by /usr/lib/cgi-bin/php5 but
files in / or bar are not, as there is no action configured.


The remaining problems now are:
a) Any other CGI scripts in /usr/lib/cgi-bin/ (and my distro, Debian,
puts several in there - which I use on other vhosts)
b) as well as php5
can be invoked by clients by directly going to
http://example.org/cgi-bin/something.

(a) can seemingly be solved, by just using some
<Directory>+<Files>+Allow/Deny directives... that just deny access to
anything but php5.
But this has the drawback, that I cannot use these CGI scripts (e.g.
interpreters) for files in other dirs, e.g. bar

I also can't do this denying per directory, as far as I can see, as it's
not possible to somehow "nest" <Directory> blocks.

I guess in principle I'd be looking for an Action directive (which can
be used in <Directory> context) whose 2nd argument is not taken to be a
URI-location but a filesystem location, e.g.
Action2 application/x-httpd-php /usr/lib/cgi-bin/php5

That way, one wouldn't have to expose any /cgi-bin/ to the outside, with
possible unwanted CGI scripts that can be seen/invoked.


Is there some way to get what I want? :)


Thx,
Chris.

Mime
View raw message