On 8/29/06, Patrick Rice <[EMAIL PROTECTED]> wrote:
When I do this, I get a 500 internal error and I've traced this down to a permissions problem, as the apache user doesn't have the permissions to write the pic's in the /var/www/html file.
Which is as it should be, I would imagine. For security purposes, I generally see three categories of files the webserver can access: * servable files - like web pages and images (serve, never run, never write) * programs - executable code (run, never serve, never write) * data files - (read and write, never serve, never run) If you keep these organized by directories, the server has an easy time enforcing the security rules. If it's somebody else's webserver, they probably use roughly the same security categories. Even though the server won't directly serve the data files, you can easily make a CGI program that does little more than read and output the requested file. The PATH_INFO can be quite useful here, but use caution not to trust it without checking, because it's supplied by the user. But this URL could lead your program to serve the data file found in (some directory) maps/portugal/2006.png : http://www.example.com/cgi-bin/virtual.pl/maps/portugal/2006.png That CGI program is not the only solution. You could add a fourth category, for example: * servable data files - (read, write, or serve, never run) You could use Apache's Alias directive to set this up, something like this: Alias /servdata /home/fred/webdata Now, when the server gets a request like this: http://www.example.com/servdata/maps/portugal/2006.png It knows which file to serve: /home/fred/webdata/maps/portugal/2006.png If you choose this route, there are some additional security issues. For example, if it were my Apache webserver, I'd configure it to ignore (or at least restrict) any .htaccess files found in the server-writable directories. And I'd probably not allow browsing in these directories, either. But I'd probably choose the CGI program, since it's simple to secure and not likely to be a significant amount of overhead. Hope this helps! --Tom Phoenix Stonehenge Perl Training -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>
