Re: htaccess with apache

[Graham Lally <scribe () exmosis net>]

Tim Greer wrote:
> > You'll want to filter lots after that, although the easiest way is to 
> > restrict the template name to valid characters, and remove everything 
> > else. The regexp on the page is:
> >
> >         /^[\w\-\.]*$/
> >
> > So if template doesn't match that, something's wrong.
>
> I also recommend making sure the file ends with a specific file
> extension, so only certain HTML or template (or text) files can be open:
>
> /^[\w\-\]*\.(html?|txt|tmpl)$/i  (for example--and you likely don't need
> to capture those values, so use '?:' there)

Taint mode (#!/usr/bin/perl -T) on the script is worth adding in here 
too... Without going on and on about cgi sec, but if $template is being 
passed in to the perl 'open' command unfiltered, then pipes and 
redirections can be provided, turning a read into an exec or a write, so 
any Perl CGI should specify -T to enforce the regexp check above.

> > /etc/passwd shouldn't be readable by the CGI server!
>
> Sure it should be!  The default permissions (that are safe too) are 644
> for this file.  Are you thinking of shadow or master.passwd???

Oop, yes, my bad, I take that bit completely back - never try and 
concentrate on too many things at once ;) Still, file permissions and 
server privileges should be high on the list of Things To Check, 
especially if open's being used.

Ta,
.g