Re: .htacess security
On Thu, 3 Aug 2000, Ken Williams wrote: [EMAIL PROTECTED] (Rob Giseburt) wrote: Are .htaccess files secure? I don't want users to be able to use perl.../perl sections or any other mod_perl constructs (setting scripts to run via the Registry, for example) in .htaccess files. However, I need ..htaccess files turned on so users can password protect directories site-wide (so I can't shut .htaccess files off completely.) I assume you need Perl sections in your main httpd.conf? If not, you can just shut it off altogether. Alternatively, you might want to shut it off and use a templating system to generate your httpd.conf file(s) so they don't have Perl sections in them. One extra question: Can I turn on mod_perl SSI and have normal SSI calls at the same time? In other words, can I have one page (file.pshtml maybe) parsed by perl-extended SSI and another (file.shtml) be parsed by normal (without perl, mod_ssi?) SSI? I'm not sure (I think probably not), but you can get the same effect if you use Apache::SSI for some pages and regular mod_ssi for the others. It also depends on what you mean by "mod_perl SSI". If Rob is talking about Ken's Apache::SSI handler, that's one thing, but compiling PERL_SSI=1 to add #perl extentions to "regular" mod_include is another. Setting up Apache::SSI to handle some files and mod_include to handle others is not a problem. But is it possible to selectively allow #perl in only some mod_include files? If you're worried about people using Perl sections in .htaccess files, you're going to have to worry about !--#perl sub="whatever" -- in SSI files too.
.htacess security
Are .htaccess files secure? I don't want users to be able to use perl.../perl sections or any other mod_perl constructs (setting scripts to run via the Registry, for example) in .htaccess files. However, I need .htaccess files turned on so users can password protect directories site-wide (so I can't shut .htaccess files off completely.) Is there any need to worry? I can't have users writing any code that will be executed by the primary httpd process ... all user CGI execution is done via mod_cgi and SuEXEC. Thanks, -Rob Giseburt Random Quote: "When the chips are down, the buffalo is empty." (author unknown)
Re: .htacess security
On 8/3/2000 9:54 AM, Erich L. Markert at [EMAIL PROTECTED] wrote: Damn good question... I know the default apache config has a rule that prevents .htaccess files from being accessed via a URL but not from within an embedded. One way around this would be to use a database to handle accounts and use Apache::AuthDBI and then place directory access restrictions in your httpd.conf I'd like to avoid that approach if at all possible. I want the users to have a 'standard apache interface' experience ... where the way to add/remove passwords to a directory is via .htaccess. But, a web-interface to directory access might look better... One extra question: Can I turn on mod_perl SSI and have normal SSI calls at the same time? In other words, can I have one page (file.pshtml maybe) parsed by perl-extended SSI and another (file.shtml) be parsed by normal (without perl, mod_ssi?) SSI? -Rob Giseburt Random Quote: "Change is inevitable, except from a vending machine." (author unknown)
Re: .htacess security
[EMAIL PROTECTED] (Rob Giseburt) wrote: Are .htaccess files secure? I don't want users to be able to use perl.../perl sections or any other mod_perl constructs (setting scripts to run via the Registry, for example) in .htaccess files. However, I need ..htaccess files turned on so users can password protect directories site-wide (so I can't shut .htaccess files off completely.) I assume you need Perl sections in your main httpd.conf? If not, you can just shut it off altogether. Alternatively, you might want to shut it off and use a templating system to generate your httpd.conf file(s) so they don't have Perl sections in them. One extra question: Can I turn on mod_perl SSI and have normal SSI calls at the same time? In other words, can I have one page (file.pshtml maybe) parsed by perl-extended SSI and another (file.shtml) be parsed by normal (without perl, mod_ssi?) SSI? I'm not sure (I think probably not), but you can get the same effect if you use Apache::SSI for some pages and regular mod_ssi for the others.