Re: Security question

Michael.Dean Sat, 25 Nov 2000 21:46:37 -0800


why don't you place your embedded perl that you need in a directory where
the users on your website can not write and alias those scripts to appear
as if they were in the webtree .. eg inside your apache conf somewhere you
would have ..

AliasMatch  ^/(.*\.epl) "/web/embperl/$1"

<Files *.epl>
    SetHandler  perl-script
    PerlHandler HTML::Embperl
    Options     +ExecCGI
</Files>

this would alias every embedded perl script to a directory that only you
would have access to .. this would prevent others from having .epl's in
the webtree as apache would be looking in /web/embperl/ for .epl's but
that's what you want. Embedded perl in regular .html files would be
ignored.

or you could even restrict it to one location with

    <LocationMatch ^/mywebdir/mypage.html>
        Options         ExecCGI
        SetHandler      perl-script
        PerlHandler     HTML::Embperl
    </LocationMatch>


mike

On Sun, 26 Nov 2000, Neil Gunton wrote:

> I am going to be allowing users on my website to upload and edit their
> own HTML files. I want the location of these files to be in the
> directory tree which is handled by Embperl (because I want EmbperlObject
> to be doing some work).
>
> Obviously it would be undesirable to let arbitrary Perl code be included
> in such HTML files, so I will be stripping out all instances of the
> following tokens when files are uploaded or edited:
>
>       [-
>       [+
>       [!
>       [*
>       [$
>
> ... and the closing versions of these tokens too. It seems to me that
> this would effectively prevent any code from being executed in these
> files. But I want to run this by you more experienced heads out there.
> Am I missing something that would allow a sneaky user to get some code
> executed in the HTML? I am using Apache on Linux, and server-side
> includes are disabled. Anything else I am missing?
>
> Any ideas welcomed.
>
> TIA
>
> -Neil
>
> ---------------------------------------------------------------------
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED]
>

--
 [EMAIL PROTECTED] ,-_|\  UNIX Support
                              /     * Dept of Employment, Training
  Phone: +61 7 3247 5724      \_,-._/ and Industrial Relations
    Fax: +61 7 3247 9111           v  http://www.detir.qld.gov.au/




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
Re: Security question

Reply via email to
