www-apache-bugdb mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Mike Machado <m...@cheapnet.net>
Subject config/1752: .cgi files execute as a cgi and I cont want them to.
Date Sun, 01 Feb 1998 19:48:02 GMT

>Number:         1752
>Category:       config
>Synopsis:       .cgi files execute as a cgi and I cont want them to.
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    apache
>State:          open
>Class:          sw-bug
>Submitter-Id:   apache
>Arrival-Date:   Sun Feb  1 11:50:00 PST 1998
>Originator:     mike@cheapnet.net
>Release:        1.2.4
Im an running Linux 2.0.33 RedHat release 4.1. gcc
I know your page said nothing about cgi's, but this is not about programming them. 
in the srm.conf I have made sure the addhandeler line with .cgi is commented out,
but users on my system can simply put .cgi as a file and they can execute cgi's
with the webservers permissions. I have installed cgiwrap, and it works well. But
there is a problem that users dont have to go though the wrapper, if they put .cgi.
Is there somewhere in the source that .cgi is enabled my default? How can I turn it 
off, and still let certain users ue cgui through the wrapper?
www.cheapnet.net/~mike/cgi-bin/wwwlog.pl <- normal file I want to go throught the 
wrapper at like: www.cheapnet.net/cgi-bin/cgiwrap/~mike/wwwlog.pl

BUT if a user did something like www.cheapnet.net/~mike/cgi-bin/wwwlog.cgi they can
get through without using the wrapper!?
Turn .cgi off by default in the source, it that is the way it is setup right now..
[In order for any reply to be added to the PR database, ]
[you need to include <apbugs@Apache.Org> in the Cc line ]
[and leave the subject line UNCHANGED.  This is not done]
[automatically because of the potential for mail loops. ]

View raw message