www-infrastructure-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Paul Querna <p...@querna.org>
Subject RFC: Disabling CGI on most VHosts
Date Sat, 29 Aug 2009 19:43:13 GMT
Hi,

In order to increase the security of our websites and considering our
most recent issues, I would like to consider disabling CGI support for
the vast majority of TLP Vhosts.

We have 301 CGI scripts in /x1/www (ignoring the wiki).

>From my best estimates, only 3 of them are not variations on mirror.cgi:
  /x1/www/search.apache.org/index.cgi
  /x1/www/perl.apache.org/search/swish.cgi
  /x1/www/projects.apache.org/make_doap.cgi

So, 99% of the CGI Scripts in /x1/www/ are copies and variations of
download.cgi:
""""
#!/bin/sh
# Wrapper script around mirrors.cgi script
# (we must change to that directory in order for python to pick up the
#  python includes correctly)
cd /www/www.apache.org/dyn/mirrors
/www/www.apache.org/dyn/mirrors/mirrors.cgi $*

""""

All that mirrors.cgi does is read the original path out, convert the
.cgi to .html, and use the .html file on disk as a template:
<http://svn.apache.org/repos/asf/infrastructure/site/trunk/docs/dyn/mirrors/mirrors.cgi>

At first I believed we could replace all of these with a few rewrite
rules, a small modification to the mirror.cgi script:
RewriteRule ^/download.cgi$
/www/www.apache.org/dyn/mirrors/mirrors.cgi/%{SERVER_NAME}/%{REQUEST_URI}

As putting RewriteRules in hundreds of places is potentially painful,
it might be reasonable to write a small Apache httpd module (heh,
heh), mod_asf_downloads, which would bind to the .cgi extension in
most vhosts.  It would scan the .cgi file for the mirrors.cgi
invocation, and if detected automatically rewrite the URL to
mirrors.cgi. (I'd estimate about 150 lines of C).    This would make
for a seamless 'upgrade' for most vhosts, and mean we could turn off
ExecCGI very soon, instead of asking for every TLP to change
something.

Thoughts?

Thanks,

Paul

Mime
View raw message