Bug 52494

Summary: allow the Action directive to point in the filesystem space
Product: Apache httpd-2 Reporter: Christoph Anton Mitterer <calestyo>
Component: mod_actionsAssignee: Apache HTTPD Bugs Mailing List <bugs>
Status: NEW ---    
Severity: enhancement    
Priority: P2    
Version: 2.5-HEAD   
Target Milestone: ---   
Hardware: All   
OS: All   

Description Christoph Anton Mitterer 2012-01-22 01:18:33 UTC
Hi.

Currently the Action directive can only point to a URI-space based script (e.g. /cgi-bin/foo).

It would be worth IMHO, to have an enhanced version of action, that allows pointing to a filesystem-space based script (e.g. /usr/lib/cgi-bin/php).
Perhaps even automatically setting the cgi-script handler for it.


The reason is:
- Convenience, one saves the use of ScriptAlias, or something similar
- Not cluttering the URI-space by paths that are "not needed" (i.e. /cgi-bin/)
- Security: hiding the interpreter cgi-scripts from the clients. They should not need to see them and they should not be able to invoke them direclty


Chris.
Comment 1 Christoph Anton Mitterer 2012-01-22 01:23:47 UTC
A note to the last point:
Currently there are some CGI script (interperters) who add some security on their own here.
E.g. the CGI version from PHP checks (if some options are set) whether it was invoked via a redirect and executes only then.

In principle this would be a basic safety measure for _all_ CGI-scripts that are interpreters (and therefore used with the Action directive).
Having a Action directive that allows hiding the interpreter from the client, would make this "useless",.. well at least it would secure all interpreters that don't secure themselves as PHP does.