Bug 52494 - allow the Action directive to point in the filesystem space
Summary: allow the Action directive to point in the filesystem space
Status: NEW
Alias: None
Product: Apache httpd-2
Classification: Unclassified
Component: mod_actions (show other bugs)
Version: 2.5-HEAD
Hardware: All All
: P2 enhancement (vote)
Target Milestone: ---
Assignee: Apache HTTPD Bugs Mailing List
URL:
Keywords:
Depends on:
Blocks:
 
Reported: 2012-01-22 01:18 UTC by Christoph Anton Mitterer
Modified: 2012-01-22 01:23 UTC (History)
0 users



Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Christoph Anton Mitterer 2012-01-22 01:18:33 UTC
Hi.

Currently the Action directive can only point to a URI-space based script (e.g. /cgi-bin/foo).

It would be worth IMHO, to have an enhanced version of action, that allows pointing to a filesystem-space based script (e.g. /usr/lib/cgi-bin/php).
Perhaps even automatically setting the cgi-script handler for it.


The reason is:
- Convenience, one saves the use of ScriptAlias, or something similar
- Not cluttering the URI-space by paths that are "not needed" (i.e. /cgi-bin/)
- Security: hiding the interpreter cgi-scripts from the clients. They should not need to see them and they should not be able to invoke them direclty


Chris.
Comment 1 Christoph Anton Mitterer 2012-01-22 01:23:47 UTC
A note to the last point:
Currently there are some CGI script (interperters) who add some security on their own here.
E.g. the CGI version from PHP checks (if some options are set) whether it was invoked via a redirect and executes only then.

In principle this would be a basic safety measure for _all_ CGI-scripts that are interpreters (and therefore used with the Action directive).
Having a Action directive that allows hiding the interpreter from the client, would make this "useless",.. well at least it would secure all interpreters that don't secure themselves as PHP does.