--- mod_actions.html.orig Mon Mar 29 12:25:18 1999 +++ mod_actions.html Mon Mar 29 16:13:08 1999 @@ -74,10 +74,136 @@ action-type is triggered by the request. The action-type can be either a handler or a MIME content type. It sends the URL and file path of the requested document using the standard CGI PATH_INFO and PATH_TRANSLATED environment variables.

+ +

+This directive is often used to attach a particular extension to an interpreter +script. For example, the .phtml extension is often associated with the PHP/FI. +

+ +

+Internally, mod_actions issues a redirect to cgi-script when action-type +is triggered. The URI of the new request is made by concatenating cgi-script, and +the URI of the original request, and a "?" followed by the arguments (think QUERY_STRING) +of the previous request, if provided. +When this redirected request from mod_actions is handled by +mod_cgi, the environment will be setup as follows. +

+
+ + + + + + + + + + + + + + + + + +
PATH_INFO      URI of the previous request.
PATH_TRANSLATED      Filename of the file found by the previous request.
REDIRECT_URL      URI of the previous request
REQUEST_URI      URI of the original request
+
+

+There is an important distinction between the "original request" and the "previous +request". The previous request is the request on which mod_actions preformed +a redirect to cgi-script. However, this may not be the original request -- +there may have been previous redirects. The original request is the request +actually made by the client machine. +

+

+ + + +
+Security Notice: Without the proper security, it is possible for a hacker +to circumvent standard apache access checking by directly specifying +path info to the cgi-script. The solution is to require that the +request has been redirected by checking REDIRECT_URI. See the example for more details. +
+ + +

+

+ +Example: + +

+ +Assume the following pre-directory config file: + +

+ + +
+#
+# Setup all files ending in ".giveheader" to be processed by the
+# "/printheader.cgi" script.
+#
+
+AddHandler printheader /printheader.cgi
+AddType printheader .giveheader
+
+ +

+ +Where printheader.cgi is the following: + +

+ + +
+#!/usr/bin/perl
+#
+# printheder.cgi -- action script to add header and footer to HTML documents
+#
+
+print "Content-type: text/html\n\n";
+
+# prevent direct requests which circumvent standard apache access checking
+if ( not defined $ENV{'REDIRECT_URL'} )
+{
+   print "<h1>Secuirty Violation</h1>Requests must come from redirect\n";
+   exit 0;
+}
+
+$file = $ENV{'PATH_TRANSLATED'};
+
+print "header, bla, bla, bla\n";
+
+open FILE, "< $file" or die "can not open $file";
+while ( <FILE> ) { print };
+
+print "footer, bla, bla, bla\n";
+
+ +

+ +

+Now a request for "/test.giveheader" will cause printheader.cgi to be run, +which adds a header and a footer to the file. However, the script could have done almost anything. +A common usage it to interpret the original file. +

+ +

+Without checking $ENV{'REDIRECT_URL'} it would have been possible to use this +script to circumvent standard Apache access checking. Let's say there is a file +"/secrets/file.html" is not publicly accessible. Well, any user +can just make a request for "/printheader.cgi/secrets/file.html" and get the secret +file. Checking REDIRECT_URL to make sure there was actually a redirect prevents +the attack. +

+ +
+

Script directive