![[APACHE DOCUMENTATION]](../images/sub.gif)
This module is contained in the mod_actions.c file, and
is compiled in by default. It provides for
executing CGI scripts based on media type or request method. It is not
present in versions prior to Apache 1.1.
This module lets you run CGI scripts whenever a file of a certain type is requested. This makes it much easier to execute scripts that process files.
Syntax: Action action-type cgi-script
Context: server config, virtual host, directory,
.htaccess
Override: FileInfo
Status: Base
Module: mod_actions
Compatibility: Action is only available in Apache 1.1
and later
This directive adds an action, which will activate cgi-script when action-type is triggered by the request. The action-type can be either a handler or a MIME content type. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.
This directive is often used to attach a particular extension to an interpreter script. For example, the .phtml extension is often associated with the PHP/FI.
Internally, mod_actions issues a redirect to cgi-script when action-type is triggered. The URI of the new request is made by concatenating cgi-script, and the URI of the original request, and a "?" followed by the arguments (think QUERY_STRING) of the previous request, if provided. When this redirected request from mod_actions is handled by mod_cgi, the environment will be setup as follows.
PATH_INFO URI of the previous request. PATH_TRANSLATED Filename of the file found by the previous request. REDIRECT_URL URI of the previous request REQUEST_URI URI of the original request
There is an important distinction between the "original request" and the "previous request". The previous request is the request on which mod_actions preformed a redirect to cgi-script. However, this may not be the original request -- there may have been previous redirects. The original request is the request actually made by the client machine.
| Security Notice: Without the proper security, it is possible for a hacker to circumvent standard apache access checking by directly specifying path info to the cgi-script. The solution is to require that the request has been redirected by checking REDIRECT_URI. See the example for more details. |
Example:
Assume the following pre-directory config file:
Where printheader.cgi is the following:
#!/usr/bin/perl # # printheder.cgi -- action script to add header and footer to HTML documents # print "Content-type: text/html\n\n"; # prevent direct requests which circumvent standard apache access checking if ( not defined $ENV{'REDIRECT_URL'} ) { print "<h1>Secuirty Violation</h1>Requests must come from redirect\n"; exit 0; } $file = $ENV{'PATH_TRANSLATED'}; print "header, bla, bla, bla\n"; open FILE, "< $file" or die "can not open $file"; while ( <FILE> ) { print }; print "footer, bla, bla, bla\n";Now a request for "
/test.giveheader" will cause printheader.cgi to be run, which adds a header and a footer to the file. However, the script could have done almost anything. A common usage it to interpret the original file.Without checking
$ENV{'REDIRECT_URL'}it would have been possible to use this script to circumvent standard Apache access checking. Let's say there is a file "/secrets/file.html" is not publicly accessible. Well, any user can just make a request for "/printheader.cgi/secrets/file.html" and get the secret file. Checking REDIRECT_URL to make sure there was actually a redirect prevents the attack.
Syntax: Script method cgi-script
Context: server config, virtual host, directory
Status: Base
Module: mod_actions
Compatibility: Script is only available in Apache 1.1
and later
This directive adds an action, which will activate cgi-script when
a file is requested using the method of method, which can be
one of GET, POST, PUT or
DELETE. It sends the
URL and file path of the requested document using the standard
CGI PATH_INFO and PATH_TRANSLATED environment variables.
Note that the Script command defines default actions only. If a CGI
script is called, or some other resource that is capable of handling
the requested method internally, it will do so. Also note that Script
with a method of GET will only be called if there are
query arguments present (e.g., foo.html?hi). Otherwise, the request
will proceed normally.
Examples:
Script GET /cgi-bin/search #e.g. for <ISINDEX>-style searching
Script PUT /~bob/put.cgi
