HTML escape substituted parameter values to avoid injection attacks.

[rails.git] / config / lighttpd.conf

diff --git a/config/lighttpd.conf b/config/lighttpd.conf
index 7395a4b08867e1fd1b0635a8909d8737a94f8184..75647f2488bd406b2ff50090db48972b831546d2 100644 (file)
--- a/config/lighttpd.conf
+++ b/config/lighttpd.conf
@@ -4,6 +4,7 @@
 server.modules = ( 
   "mod_access",
   "mod_accesslog",
+  "mod_cgi",
   "mod_compress",
   "mod_evasive",
   "mod_fastcgi",
@@ -30,10 +31,11 @@ server.errorlog = "/var/log/lighttpd/error.log"
 $HTTP["remoteip"] == "127.0.0.1" { status.status-url = "/server-status" }
 
 #
-# API 0.3 is long dead, so fail any attempt to access it without
+# Fail any attempt to access old versions of the API without
 # getting rails involved at all
 #
 $HTTP["url"] =~ "^/api/0.3/" { url.access-deny = ("") }
+$HTTP["url"] =~ "^/api/0.4/" { url.access-deny = ("") }
 
 #
 # IP blocked at SteveC's request as it was trying to download the
@@ -89,6 +91,11 @@ url.redirect = (
   "^/wiki/(.*)$" => "http://wiki.openstreetmap.org/$1"
 )
 
+#
+# Run anything with a .pl iextension as a CGI script
+#
+cgi.assign = ( ".pl" => "/usr/bin/perl" )
+
 #
 # Serve static content from the rails public area ourselves
 #