On Thu, Feb 22, 2001 at 02:51:02PM -0800, Wim Kerkhoff wrote:
> "G.Richter" wrote:
>
> > > Should the base class be accessible from the browser?
> > >
> >
> > It's not intended to be, but it could lead to denial of service attacks, so
> > I add a security check.
>
> What are people doing to protect against people trying to request
> objects that Executed by pages, e.g., init.html, constants.html,
> header.html, footer.html, etc?
>
> Solutions I can think of are:
> 1. using an existing apache function or mod_perl handler to block
> requests to those files
> 2. if #1 doesn't exist, create my own
> 3. add an [$ if $] construct into base.html to check for bad requests,
> add Execute an error page instead
>
> What's the best solution?
Not necessarily the best solution, but what I'm doing is not using
*.html for these objects at all - I'm calling them base.obj, init.obj,
etc. Two benefits - it makes it immediately clear what's meant to be a
proper html page and what's an EmbperlObject fragment; it means that
these objects are treated as text by apache by default, rather than
as html, avoiding the problems that spawned this thread. If you
don't want people to be able to view your objects, of course, you can
just do:
<Files ~ "\.obj$">
Order allow,deny
Deny from all
</Files>
but they'll still work fine with EmbperlObject.
Cheers,
Gavin
---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]
