OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success


> Here's from the access.log:
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET /cgi-bin/experimentbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser"; "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1" 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
>

Looks like two page loads 30 seconds apart, but I notice there is no
request for the CGI itself for the first one but requests for the page
elements.
Are you sure there's no browser caching in the way here?  And perhaps
the basic auth credentials are cached for the /cgi-bin/ path but the
browser doesn't send them automatically for the static elements that
don't share a context root?

A private/incognito window, or temporarily logging %{Authorization}i
might clear some things up.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx