RevCGI Hosts?

Dave Cragg dave.cragg at lacscentre.co.uk
Wed Feb 20 03:56:48 CST 2008


On 20 Feb 2008, at 01:54, J. Landman Gay wrote:

>
> I think we can relax as long as we don't script anything stupid.  
> Here are a couple of quotes from Scott Raney about it:

Hi Jacque

It wasn't the script content I was concerned about. Scripting  
problems exist wherever the engine is.

My concern was that if the engine is in the cgi-bin folder, you can  
attempt to call the engine directly. For example, if the engine is  
named "rev", then what happens when you request the url "http:// 
some.server.com/cgi-bin/rev"

Will Apache try to start the engine? My understanding of Apache and  
the cgi-bin folder suggests that it will. (But am not certain.)  
Normally, I think nothing will happen and the engine will immediately  
close. But if it were possible to coerce Apache to send parameters  
when opening the engine, the risks seem higher. In the case of the  
Windows Perl executable, I think Apache sent any query string  
attached to the url as a parameter. In some circumstances (forget  
details) the Perl executable will attempt to execute scripts passed  
as parameters. It was possible to craft a query string that would  
cause Perls to execute scripts.

As I said, I'm reasonably confident this can't be done with Rev. (But  
it will accept parameters.) But it's usually not a problem to put the  
engine somewhere outside of the cgi-bin folder and adjust the top  
line of the script accordingly.

The other advantage is that starting a script with #!usr/bin/revbin/ 
rev or #!../rev makes you look more knowledgeable than simply using #! 
rev   It's like the subtle difference between quiche and egg pie.  
You'll swear your scripts run faster. :-)

Cheers
Dave





More information about the use-livecode mailing list