On 11/21/05, Brent Herring <[EMAIL PROTECTED]> wrote: > >> The problem is this: Many pages on the web site are accessed by a Perl > >> script. The script writes out the page template that is the same for all > >> the > >> pages on the site, and then reads in the data for each individual page > >> from individual html files on the server. If you attempt to access a file > >> in > >> the restricted directory using the script the web server directory > >> restrictions > >> are ignored and the file is displayed.
> The script is accessed by a URL link such as this... > > http://it.uca.edu/cgi-bin/cs.pl?DF=helpdesk.html > > > The script reads in the file like this... > > open(inputfile, "<",$htmldir . $datafile); > @data = <inputfile>; > close(inputfile); > foreach $line (@data) > { > print $line; > } > > There are no errors in the log because no error occurs. There is no > configuration within the script. It is of the simplest form. It merely reads > a file and writes text to the output. > > The directory is restricted with the following Apache configuration entry > > <Directory /srv/www/htdocs/restricted> > Order Deny,Allow > Deny from all > Allow from 161.31.66 > </Directory> Ok. That's clearer. In this case, there is nothing that apache can do. The script is accessing the files directly through the file-system, and therefore no apache controls will have any effect. The typical way to address that is to take the files out of the document root (so they are not directly accessible from the web at all, and hence do not need protection in the apache config) and then impliment the necessary access controls as part of the perl script. An alternative is to use something like mod_rewrite, which can look at the query string and do access restrictions based on what it sees there. But I wouldn't recommend this solution, since it could get very complication. Joshua. --------------------------------------------------------------------- The official User-To-User support forum of the Apache HTTP Server Project. See <URL:http://httpd.apache.org/userslist.html> for more info. To unsubscribe, e-mail: [EMAIL PROTECTED] " from the digest: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED]
