<[EMAIL PROTECTED]> wrote in message [EMAIL PROTECTED]">news:[EMAIL PROTECTED]... > > ------------------------------------------------ > On Thu, 23 Jan 2003 03:41:30 -0800 (PST), Will <[EMAIL PROTECTED]> wrote: > > > Not about perl, but CGI... > > > > Does anyone know why it would be more secure not to > > allow HTML files in a cgi-bin? > > > > I was working on a project with both perl cgis and > > html files in the cgi-bin. The cgi's ran fine, but I > > was getting all sorts of errors from the HTML. I > > asked the host, and they said it was fot security > > reasons but nothing more. > > > > Just wondering if anyone would know what they meant. > > > > Thanks, > > > > Will > > > > Personally sounds like a cookie cutter, security is on the brain, response. If you have access to write to the cgi-bin and *any* kind of file is setup as a handler than you have a security risk. There is no difference between a perl file and an html file at the system level, only that one usually contains Perl and one contains HTML. Without setting up a specific handler for HTML files found in script directories most likely the server will try and execute the script (HTML file), at which point no shebang will be found (in a normal HTML file that is) and then cough up an internal server error fur ball. Along these lines we used to setup cgi handlers for extensions like .bri, .matt, etc. so that each of our developers could write scripts with their own extension all in Perl (because it doesn't care about extensions) (granted this was 1998 and we should have been using RCS, etc.) but it worked well. The real question is why would you want/need to? >
Im assuming we're taling about an apache http server. Heres a snippet from my httpd.conf. # ScriptAlias: This controls which directories contain server scripts. # ScriptAliases are essentially the same as Aliases, except that # documents in the realname directory are treated as applications and # run by the server when requested rather than as documents sent to the client. # The same rules about trailing "/" apply to ScriptAlias directives as to # Alias. # ScriptAlias /cgi-bin/ "/var/www/cgi-bin/" <Directory "/var/www/cgi-bin"> AllowOverride All Options ExecCGI Order allow,deny Allow from all </Directory> Which sounds like is the configuration for your current server, but not your previous. What this says is: "anything in /var/www/cgi-bin/ can be accessed as http://server/cgi-bin/ BUT any and all files accessed this way through this server are to be treated as programs to execute and not static files to dump." mod_alias ( the apache handler dispatched to serve content from this directory ) then ( usually ) looks at the first line in the file to determine what program to give the rest of the file to. In the case of an html file, the first line is often something like <html> or a location of a DTD or an xml processing instruction, all of which mod_alias knows nothing about, hence your errors. I replied to the group with this because the discussion also includes getting perl scripts to execute on an apache server, but please post all replies to the proper newsgroup. HTH, Todd W. -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]