dave.cragg at lacscentre.co.uk
Wed Feb 20 04:56:48 EST 2008
On 20 Feb 2008, at 01:54, J. Landman Gay wrote:
> I think we can relax as long as we don't script anything stupid.
> Here are a couple of quotes from Scott Raney about it:
It wasn't the script content I was concerned about. Scripting
problems exist wherever the engine is.
My concern was that if the engine is in the cgi-bin folder, you can
attempt to call the engine directly. For example, if the engine is
named "rev", then what happens when you request the url "http://
Will Apache try to start the engine? My understanding of Apache and
the cgi-bin folder suggests that it will. (But am not certain.)
Normally, I think nothing will happen and the engine will immediately
close. But if it were possible to coerce Apache to send parameters
when opening the engine, the risks seem higher. In the case of the
Windows Perl executable, I think Apache sent any query string
attached to the url as a parameter. In some circumstances (forget
details) the Perl executable will attempt to execute scripts passed
as parameters. It was possible to craft a query string that would
cause Perls to execute scripts.
As I said, I'm reasonably confident this can't be done with Rev. (But
it will accept parameters.) But it's usually not a problem to put the
engine somewhere outside of the cgi-bin folder and adjust the top
line of the script accordingly.
The other advantage is that starting a script with #!usr/bin/revbin/
rev or #!../rev makes you look more knowledgeable than simply using #!
rev It's like the subtle difference between quiche and egg pie.
You'll swear your scripts run faster. :-)
More information about the Use-livecode