The following reply was made to PR mod_actions/1418; it has been noted by GNATS.
From: Vincent Partington <[EMAIL PROTECTED]>
To: Marc Slemko <[EMAIL PROTECTED]>
Cc: [EMAIL PROTECTED], [EMAIL PROTECTED],
Apache bugs database <[EMAIL PROTECTED]>
Subject: Re: mod_actions/1418: htaccess files can be bypassed when actions are
used
Date: Tue, 18 Nov 1997 09:55:03 +0100
Marc Slemko wrote:
> On 18 Nov 1997 [EMAIL PROTECTED] wrote:
>
> > [In order for any reply to be added to the PR database, ]
> > [you need to include <[EMAIL PROTECTED]> in the Cc line ]
> > [and leave the subject line UNCHANGED. This is not done]
> > [automatically because of the potential for mail loops. ]
> >
> >
> > Synopsis: htaccess files can be bypassed when actions are used
> >
> > State-Changed-From-To: open-closed
> > State-Changed-By: dgaudet
> > State-Changed-When: Mon Nov 17 22:33:56 PST 1997
> > State-Changed-Why:
> > Apache is behaving correctly, the /cgi-bin URL is not
> > protected. If you want to use Action this way then make
> > another ScriptAlias which is protected.
>
> You should be able to have your script check the appropriate environment
> variables to verify that it is not being called directly. You would have
> to look at them and examine the differences to see if this is workable
> though; haven't looked.
Hi Marc and Dean,
Thank you for replying, it's interaction like this that makes Apache such a
great server to use.
Dean is correct; Apache is behaving correctly. The problem I faced was the
fact that is always possible for a user to access a secured file by directly
accessing the URL starting with "/cgi-bin/process.cgi". However, protecting
the /cgi-bin directory would also disallow access to "/notsecure/file.prhtml",
so that is too severe a solution.
But, the hint Marc gives is a good one; the environment variables REQUEST_URI,
REDIRECT_URL, REDIRECT_STATUS and sometimes REDIRECT_QUERY_STRING are
different when the cgi program is called directly. As I will be developing the
process.cgi myself I can make use of these.
Maybe it's a good idea to add this question to the FAQ list. When I posted a
question about this problem in comp.infosystems.www.servers.unix, I got no
useful reply, but I did get an email from someone asking me if I had gotten an
answer yet. The only thing is; it's very difficult to explain this problem
clearly. :-)
Regards, Vincent.
