PlsqlExclusionList
Specifies a pattern for procedures/packages/schema names which are forbidden to be directly executed from a browser. This is a multiline directive in
which each pattern is on one line. The pattern is case-insensitive and can accept a wildcard of '*'. The default patterns disallowed from direct URL
access are sys.*, dbms_*, utl_*, owa_*, owa.*, htp.*, htf.*, wpg_docload.*
Setting this directive to #NONE#
will disable all protection.
This is not recommended for a live site and should not be done (this is sometimes used for debugging purposes)
If this parameter is overridden the defaults no longer apply, which means that you will have to explicitly add the default list to the list of excluded patterns.
- Syntax:
- PlsqlExclusionList [string/"#NONE#" multiline]
- Default:
- sys.*
- dbms_*
- utl_*
- owa_*
- owa.*
- htp.*
- htf.*
- wpg_docload.*
- Example:
- PlsqlExclusionList myschema.private1.*
- PlsqlExclusionList myschema.private.*
The example above will disallow access to URL's which contain one of:
- sys.*
- dbms_*
- utl_*
- owa_*
- owa.*
- htp.*
- htf.*
- wpg_docload.*
- myschema.private.*
- myschema.private1.*
PlsqlExclusionList "#NONE#"
will disable all protection. Again, this is not recommended for live sites as this could be a security concern.
Tips for PlsqlExclusionList
Besides the patterns specified with this parameter, mod_plsql also disallows any procedure name which contains special characters like tabs, newlines, carriage-returns, single-quotes, the reverse-slash, the form feed, the open parenthesis, close parenthesis, and spaces. This cannot be overridden
In older versions, this parameter was called exclusion_list