After finding out that program names in the URL are no longer case sensitive, I found a possible loophole that may be overlooked. I have a protection directive set up in my HTTP config that looks like the following:
Protection CGIPGM1P { AuthType BASIC ServerID ServerName PasswdFile QGPL/USERVLDL GetMask All PostMask All }My MAP directives are as follows:
Map /cgi-bin/* /QSYS.LIB/AS400CGI.LIB/*.PGM Map /CGI-BIN/* /QSYS.LIB/AS400CGI.LIB/*.PGMThe CGI program name is CGIPGM1. I had an PROTECT directive set up as follows:
Protect /QSYS.LIB/AS400CGI.LIB/CGIPGM1.PGM CGIPGM1PThis worked great and prompted for a user id and password when it was executed. But, I found out that if I used cgipgm1 (lower case) in the URL instead of CGIPGM1, the security validation did not happen. So, I added the following line:
Protect /QSYS.LIB/AS400CGI.LIB/cgipgm1.PGM CGIPGM1PThings now work ok. I'm just posting this in case someone runs across this. Who knows why you have to protect both, just something interesting. HREF="http://prairie.lakes.com/~bvstone/"> SRC="http://prairie.lakes.com/~bvstone/images/sig.gif">
Comment