>Number: 4422 >Category: mod_auth-any >Synopsis: parsing apears to stop at the CGI file. >Confidential: no >Severity: non-critical >Priority: medium >Responsible: apache >State: open >Class: sw-bug >Submitter-Id: apache >Arrival-Date: Sun May 16 18:30:01 PDT 1999 >Last-Modified: >Originator: [EMAIL PROTECTED] >Organization: apache >Release: 1.3.6 >Environment: NT 4.0 w/ SP4, running DB2 and Net.Data, converting from Domino Web Server to Apache. >Description: Net.data runs as a cgi-bin. (http://foo.com/db2www.cgi/trythid.d3w) where trythis.d3w is passed to db2www.cgi. I sucessfully restrict access to the cgi-bin directory & the program works just like Domino. Under Domino, I futher restrict file access for files ending in .d2w. Under apache, it appears that the file checking stops when it reaches the cgi and it transfers to there. The result is I lose the second level file protection. This may be the "parsed output" limitation and it works as designed. If so, I'll live without it. >How-To-Repeat: Set up a cgi-bin where you pass the cgi a file. Then try to restrict access to the file. >Fix:
>Audit-Trail: >Unformatted: [In order for any reply to be added to the PR database, ] [you need to include <[EMAIL PROTECTED]> in the Cc line ] [and leave the subject line UNCHANGED. This is not done] [automatically because of the potential for mail loops. ] [If you do not include this Cc, your reply may be ig- ] [nored unless you are responding to an explicit request ] [from a developer. ] [Reply only with text; DO NOT SEND ATTACHMENTS! ]
