Re: prevent cgi-bin script execution prior to authorization dialog success (Apache Users)

Ok I have a work around but I'm really unhappy with it and I'd like it if someone can verify for me that I'm not doing something wrong before I change my whole code base to deal with the cgi scripts not being present in the apache default cgi-bin (on my system /usr/lib/cgi-bin). So when a client requests a file from the cgi-bin Apache seems to execute it before asking for Basic Authorization. However if I take the exact same apache2.config block, change the directory to something somewhere else, in this case /var/www/html, add +ExecCGI and a handler for .cgi files...Apache has the behavior I'd expect. It asks for authorization, then executes the .cgi file. Why on earth can't I just do that for the default cgi-bin???

so this works:

<Directory /var/www/html>
        Options Indexes FollowSymLinks ExecCGI
        AddHandler cgi-script .cgi
        AllowOverride None
        AuthUserFile /home/jpitt/wormbot/passwords
        AuthType Basic
        AuthName "Kaebot"
        Require valid-user
</Directory>

this asks for a password but executes the script regardless of user input

<Directory /usr/lib/cgi-bin>
        Options Indexes FollowSymLinks ExecCGI
        AddHandler cgi-script .cgi
        AllowOverride None
        AuthUserFile /home/jpitt/wormbot/passwords
        AuthType Basic
        AuthName "Kaebot"
        Require valid-user
</Directory>

exact same cgi script...just placed in different locations

Is this a "feature" of Apache I'm just not appreciating?

-J

On Wed, Aug 15, 2018 at 2:34 AM, Eric Covener <covener@xxxxxxxxx> wrote:

> Here's from the access.log:
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 736 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:28 -0700] "GET /favicon.ico HTTP/1.1" 404 500 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:51 -0700] "GET /cgi-bin/experimentbrowser HTTP/1.1" 200 3867 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_delete.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:52 -0700] "GET /wormbot/img/icon_download.png HTTP/1.1" 401 735 "http://127.0.0.1/cgi-bin/experimentbrowser" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
> 127.0.0.1 - - [14/Aug/2018:19:33:58 -0700] "GET /favicon.ico HTTP/1.1" 404 501 "-" "Mozilla/5.0 (X11; Ubuntu; Linux x86_64; rv:61.0) Gecko/20100101 Firefox/61.0"
>

Looks like two page loads 30 seconds apart, but I notice there is no
request for the CGI itself for the first one but requests for the page
elements.
Are you sure there's no browser caching in the way here? And perhaps
the basic auth credentials are cached for the /cgi-bin/ path but the
browser doesn't send them automatically for the static elements that
don't share a context root?

A private/incognito window, or temporarily logging %{Authorization}i
might clear some things up.

---------------------------------------------------------------------
To unsubscribe, e-mail: users-unsubscribe@httpd.apache.org
For additional commands, e-mail: users-help@xxxxxxxxxxxxxxxx

/*
Jason Pitt PhD 206.616.1193
Kaeberlein Lab jnpitt@xxxxxx
University of Washington
Department of Pathology
Health Sciences Building Box 357470
1989 NE Pacific Street
Seattle, WA 98195
*/