OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success


On Wed, Aug 15, 2018 at 5:53 PM Jason Pitt <jnpitt@xxxxxx> wrote:
>
> Ok I have a work around but I'm really unhappy with it and I'd like it if someone can verify for me that I'm not doing something wrong before I change my whole code base to deal with the cgi scripts not being present in the apache default cgi-bin (on my system /usr/lib/cgi-bin).  So when a client requests a file from the cgi-bin Apache seems to execute it before asking for Basic Authorization.  However if I take the exact same apache2.config block, change the directory to something somewhere else, in this case /var/www/html, add +ExecCGI and a handler for .cgi files...Apache has the behavior I'd expect.  It asks for authorization, then executes the .cgi file.  Why on earth can't I just do that for the default cgi-bin???
>
> so this works:
> <Directory /var/www/html>
>         Options Indexes FollowSymLinks ExecCGI
>         AddHandler cgi-script .cgi
>         AllowOverride None
>         AuthUserFile /home/jpitt/wormbot/passwords
>         AuthType Basic
>         AuthName "Kaebot"
>         Require valid-user
> </Directory>
>
> this asks for a password but executes the script regardless of user input
> <Directory /usr/lib/cgi-bin>
>         Options Indexes FollowSymLinks ExecCGI
>         AddHandler cgi-script .cgi
>         AllowOverride None
>         AuthUserFile /home/jpitt/wormbot/passwords
>         AuthType Basic
>         AuthName "Kaebot"
>         Require valid-user
> </Directory>

Maybe there is some other overlapping configuration section?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@xxxxxxxxxxxxxxxx
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx