<[EMAIL PROTECTED]> wrote in message
[EMAIL PROTECTED]">news:[EMAIL PROTECTED]...
>
> ------------------------------------------------
> On Thu, 23 Jan 2003 03:41:30 -0800 (PST), Will <[EMAIL PROTECTED]>
wrote:
>
> > Not about perl, but CGI...
> >
> > Does anyone know why it would be more secure not to
> > allow HTML files in a cgi-bin?
> >
> > I was working on a project with both perl cgis and
> > html files in the cgi-bin. The cgi's ran fine, but I
> > was getting all sorts of errors from the HTML. I
> > asked the host, and they said it was fot security
> > reasons but nothing more.
> >
> > Just wondering if anyone would know what they meant.
> >
> > Thanks,
> >
> > Will
> >
>
> Personally sounds like a cookie cutter, security is on the brain,
response. If you have access to write to the cgi-bin and *any* kind of file
is setup as a handler than you have a security risk. There is no
difference between a perl file and an html file at the system level, only
that one usually contains Perl and one contains HTML. Without setting up a
specific handler for HTML files found in script directories most likely the
server will try and execute the script (HTML file), at which point no
shebang will be found (in a normal HTML file that is) and then cough up an
internal server error fur ball. Along these lines we used to setup cgi
handlers for extensions like .bri, .matt, etc. so that each of our
developers could write scripts with their own extension all in Perl (because
it doesn't care about extensions) (granted this was 1998 and we should have
been using RCS, etc.) but it worked well. The real question is why would you
want/need to?
>
Im assuming we're taling about an apache http server. Heres a snippet from
my httpd.conf.
# ScriptAlias: This controls which directories contain server scripts.
# ScriptAliases are essentially the same as Aliases, except that
# documents in the realname directory are treated as applications and
# run by the server when requested rather than as documents sent to the
client.
# The same rules about trailing "/" apply to ScriptAlias directives as
to
# Alias.
#
ScriptAlias /cgi-bin/ "/var/www/cgi-bin/"
<Directory "/var/www/cgi-bin">
AllowOverride All
Options ExecCGI
Order allow,deny
Allow from all
</Directory>
Which sounds like is the configuration for your current server, but not your
previous.
What this says is: "anything in /var/www/cgi-bin/ can be accessed as
http://server/cgi-bin/ BUT any and all files accessed this way through this
server are to be treated as programs to execute and not static files to
dump." mod_alias ( the apache handler dispatched to serve content from this
directory ) then ( usually ) looks at the first line in the file to
determine what program to give the rest of the file to. In the case of an
html file, the first line is often something like <html> or a location of a
DTD or an xml processing instruction, all of which mod_alias knows nothing
about, hence your errors.
I replied to the group with this because the discussion also includes
getting perl scripts to execute on an apache server, but please post all
replies to the proper newsgroup.
HTH,
Todd W.
--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
