Hi. Is it somehow possible to limit the _usage_ of cgi-scripts to one <Directory> or <Location>. I do not mean the _location_ of the cgi-scripts themselves (which can be limited e.g. via ScriptAlias).
Here's the case:
I have a vhost, where PHP shall be enabled for a single <Directory>, but
only for this directory.
This is easy:
<VirtualHost ...>
ScriptAlias /cgi-bin/ /usr/lib/cgi-bin/
<Directory foo>
Action application/x-httpd-php /cgi-bin/php5
</Directory>
<Directory bar>
...
</Directory>
</VirtualHost>
Now .php files in foo, are interpreted by /usr/lib/cgi-bin/php5 but
files in / or bar are not, as there is no action configured.
The remaining problems now are:
a) Any other CGI scripts in /usr/lib/cgi-bin/ (and my distro, Debian,
puts several in there - which I use on other vhosts)
b) as well as php5
can be invoked by clients by directly going to
http://example.org/cgi-bin/something.
(a) can seemingly be solved, by just using some
<Directory>+<Files>+Allow/Deny directives... that just deny access to
anything but php5.
But this has the drawback, that I cannot use these CGI scripts (e.g.
interpreters) for files in other dirs, e.g. bar
I also can't do this denying per directory, as far as I can see, as it's
not possible to somehow "nest" <Directory> blocks.
I guess in principle I'd be looking for an Action directive (which can
be used in <Directory> context) whose 2nd argument is not taken to be a
URI-location but a filesystem location, e.g.
Action2 application/x-httpd-php /usr/lib/cgi-bin/php5
That way, one wouldn't have to expose any /cgi-bin/ to the outside, with
possible unwanted CGI scripts that can be seen/invoked.
Is there some way to get what I want? :)
Thx,
Chris.
smime.p7s
Description: S/MIME cryptographic signature
