OSDir


[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [users@httpd] prevent cgi-bin script execution prior to authorization dialog success


Nope...there isn't...at least not in apache2.conf, however there is clearly something different about how it is serving content from /cgi-bin than from other directories...even if those directories are flagged with ExecCGI.  One nice thing I noticed is that I can use ScriptAlias to alias "/cgi-bin/" to some other directory and then can set the access rules for that other directory and it will behave as I want, so I just need to alter the install point for my applications and edit apache2.conf...but still, this doesn't seem like this is an expected behavior.  Would it be a bug?

-J

On Wed, Aug 15, 2018 at 3:38 PM, Eric Covener <covener@xxxxxxxxx> wrote:
On Wed, Aug 15, 2018 at 5:53 PM Jason Pitt <jnpitt@xxxxxx> wrote:
>
> Ok I have a work around but I'm really unhappy with it and I'd like it if someone can verify for me that I'm not doing something wrong before I change my whole code base to deal with the cgi scripts not being present in the apache default cgi-bin (on my system /usr/lib/cgi-bin).  So when a client requests a file from the cgi-bin Apache seems to execute it before asking for Basic Authorization.  However if I take the exact same apache2.config block, change the directory to something somewhere else, in this case /var/www/html, add +ExecCGI and a handler for .cgi files...Apache has the behavior I'd expect.  It asks for authorization, then executes the .cgi file.  Why on earth can't I just do that for the default cgi-bin???
>
> so this works:
> <Directory /var/www/html>
>         Options Indexes FollowSymLinks ExecCGI
>         AddHandler cgi-script .cgi
>         AllowOverride None
>         AuthUserFile /home/jpitt/wormbot/passwords
>         AuthType Basic
>         AuthName "Kaebot"
>         Require valid-user
> </Directory>
>
> this asks for a password but executes the script regardless of user input
> <Directory /usr/lib/cgi-bin>
>         Options Indexes FollowSymLinks ExecCGI
>         AddHandler cgi-script .cgi
>         AllowOverride None
>         AuthUserFile /home/jpitt/wormbot/passwords
>         AuthType Basic
>         AuthName "Kaebot"
>         Require valid-user
> </Directory>

Maybe there is some other overlapping configuration section?

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx




--
/*
Jason Pitt PhD                                   206.616.1193
Kaeberlein Lab                                   jnpitt@xxxxxx
University of Washington
Department of Pathology
Health Sciences Building                    Box 357470
1989 NE Pacific Street
Seattle, WA 98195
*/