viktoras at ekoinf.net
Wed Feb 20 06:08:58 EST 2008
possibility of the direct access to revolution engine (or any other file
in cgi-bin) can be completely eliminated by putting .htaccess file with
the following content into the cgi-bin directory:
RewriteRule ^(.*)(rev|revolution)(.*) http://localhost/cgi-bin/ [nc]
Now everyone trying to invoke rev or revolution from the outside world
will be redirected to his own localhost.
Dave Cragg wrote:
> On 20 Feb 2008, at 01:54, J. Landman Gay wrote:
>> I think we can relax as long as we don't script anything stupid. Here
>> are a couple of quotes from Scott Raney about it:
> Hi Jacque
> It wasn't the script content I was concerned about. Scripting problems
> exist wherever the engine is.
> My concern was that if the engine is in the cgi-bin folder, you can
> attempt to call the engine directly. For example, if the engine is
> named "rev", then what happens when you request the url
> Will Apache try to start the engine? My understanding of Apache and
> the cgi-bin folder suggests that it will. (But am not certain.)
> Normally, I think nothing will happen and the engine will immediately
> close. But if it were possible to coerce Apache to send parameters
> when opening the engine, the risks seem higher. In the case of the
> Windows Perl executable, I think Apache sent any query string attached
> to the url as a parameter. In some circumstances (forget details) the
> Perl executable will attempt to execute scripts passed as parameters.
> It was possible to craft a query string that would cause Perls to
> execute scripts.
> As I said, I'm reasonably confident this can't be done with Rev. (But
> it will accept parameters.) But it's usually not a problem to put the
> engine somewhere outside of the cgi-bin folder and adjust the top line
> of the script accordingly.
> The other advantage is that starting a script with
> #!usr/bin/revbin/rev or #!../rev makes you look more knowledgeable
> than simply using #!rev It's like the subtle difference between
> quiche and egg pie. You'll swear your scripts run faster. :-)
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your
> subscription preferences:
More information about the Use-livecode