display a .pl Don't try to execute it! - Apache Web Server forum at WebmasterWorld - WebmasterWorld

Forum Moderators: phranque

Message Too Old, No Replies

display a .pl Don't try to execute it!

antofthy

5:51 am on Mar 7, 2011 (gmt 0)

10+ Year Member

Previously I have created .pl files specifically to display the script to users.

Now in the new version of apache the file will not display but report

You don't have permission to access /..../file.pl on this server.

The error logs report...

Options ExecCGI is off

Well of course it is off... I don't want to execute it I want to display it. It isn't even executable, just a normal file. If I rename it anything else, it displays fine. It is only a problem when it has a ".pl" suffix!

The web server configuration only has

AddHandler cgi-script .cgi

I do not load the mod_perl module
And in my local .htaccess file I have

AddType text/plain .pl

I can find no other references that could be causing it to be thought of as CGI.

So why is the web server wanting to execute ".pl" file, when I don't want it to! I have not declared it a CGI, as it isn't a CGI, just a plain ordinary file to be served!

This worked fine in previous versions of apache now it doesn't. (Current version RHEL 6, Apache 2.2.15 )

How can I fix it?

jdMorgan

6:13 pm on Mar 9, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Perhaps


RemoveHandler cgi-script .pl

Keep in mind that AddType and RemoveType refer to MIME-types --the Content-Type header to be returned to the client with the file content-- while AddHandler and RemoveHandler have to do with server-side processing.

Jim

antofthy

1:10 am on Mar 10, 2011 (gmt 0)

10+ Year Member

Thank you that did the job. I could even make that change in the .htaccess for that directory, rather than globally.

It just seems weird that the use of ".pl" as CGI is not declared in the configure, and yet is considered to be a CGI script. Yet the default configuration suggests you declare ".cgi" for such files to be considered ".cgi". Seems a bit of a security hole in the configuration.

antofthy

1:17 am on Mar 10, 2011 (gmt 0)

10+ Year Member

Oh the reason I thought AddType important is that you are able to declare a 'type' of "application/x-httpd-cgi" to mean that the file is a CGI script.

In previous versions of apache setting the type of .pl files to "plain/text" was enough to turn of any use as CGI scripts. That changed.

jdMorgan

7:03 pm on Mar 17, 2011 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

> In previous versions of apache setting the type of .pl files to "plain/text" was enough to turn of any use as CGI scripts. That changed.

Yes, it was changed because it was wrong -- or inappropriate, to be more fair. AddType now controls only the MIME-type (i.e. the HTTP Content-Type header) returned with directly-requested filetypes, as it should.

There was a lot of "kludging" of earlier server versions to implement various script-execution-related functions, and this mis-use of the AddType directive was one of them. Now the "AddHandler" directive is the one to use to control whether a file is to be served to the client directly or to be executed on the server.

Jim