Very Computer

Hi,

I am about to write a CGI program that will process files ending in a certain
extension, say ".ext". Using Apache 1.2, I can add a mime-type for ".ext" and
add an action like
Action application/x-ext /cgi-bin/process.cgi
to make the CGI programm process all files ending in ".ext".

Let's say the directory "/secure" is protected by a password, while the
directory "/cgi-bin" is not. When a request is made for the file
"/secure/file.ext", the CGI program "/cgi-bin/process.cgi" is run with
"/secure/file.ext" as its PATH_INFO. However, a visitor to my site can get the
same output by requesting the URL "/cgi-bin/process.cgi/secure/file.ext", and
thereby bypassing the password protection.

Is there a way around this problem? I've experimented with mod_rewrite but
could not find a solution there. The only "solution" I can think of now, is
security-by-obfuscation, i.e. rename "/cgi-bin/process.cgi" into something
weird and hope people never find out. Obviously, that does not make me feel
good. :-)

I hope someone can help me. Thanks in advance, Vincent.

Quote:>Hi,

>I am about to write a CGI program that will process files ending in a certain
>extension, say ".ext". Using Apache 1.2, I can add a mime-type for ".ext" and
>add an action like
>Action application/x-ext /cgi-bin/process.cgi
>to make the CGI programm process all files ending in ".ext".

AddHandler ext-action ext
Action ext-action /cgi-bin/ext-action

should do it.

Mike.
--
   Miquel van      | Cistron Internet Services   --    Alphen aan den Rijn.

Regards, Vincent.