RevCGI Hosts?

viktoras didziulis viktoras at ekoinf.net
Wed Feb 20 06:08:58 EST 2008


possibility of the direct access to revolution engine (or any other file 
in cgi-bin) can be completely eliminated by putting .htaccess file with 
the following content into the cgi-bin directory:

RewriteEngine on
RewriteRule ^(.*)(rev|revolution)(.*) http://localhost/cgi-bin/ [nc]

Now everyone trying to invoke rev or revolution from the outside world 
will be redirected to his own localhost.

best wishes!
Viktoras

Dave Cragg wrote:
>
> On 20 Feb 2008, at 01:54, J. Landman Gay wrote:
>
>>
>> I think we can relax as long as we don't script anything stupid. Here 
>> are a couple of quotes from Scott Raney about it:
>
> Hi Jacque
>
> It wasn't the script content I was concerned about. Scripting problems 
> exist wherever the engine is.
>
> My concern was that if the engine is in the cgi-bin folder, you can 
> attempt to call the engine directly. For example, if the engine is 
> named "rev", then what happens when you request the url 
> "http://some.server.com/cgi-bin/rev"
>
> Will Apache try to start the engine? My understanding of Apache and 
> the cgi-bin folder suggests that it will. (But am not certain.) 
> Normally, I think nothing will happen and the engine will immediately 
> close. But if it were possible to coerce Apache to send parameters 
> when opening the engine, the risks seem higher. In the case of the 
> Windows Perl executable, I think Apache sent any query string attached 
> to the url as a parameter. In some circumstances (forget details) the 
> Perl executable will attempt to execute scripts passed as parameters. 
> It was possible to craft a query string that would cause Perls to 
> execute scripts.
>
> As I said, I'm reasonably confident this can't be done with Rev. (But 
> it will accept parameters.) But it's usually not a problem to put the 
> engine somewhere outside of the cgi-bin folder and adjust the top line 
> of the script accordingly.
>
> The other advantage is that starting a script with 
> #!usr/bin/revbin/rev or #!../rev makes you look more knowledgeable 
> than simply using #!rev   It's like the subtle difference between 
> quiche and egg pie. You'll swear your scripts run faster. :-)
>
> Cheers
> Dave
>
>
> _______________________________________________
> use-revolution mailing list
> use-revolution at lists.runrev.com
> Please visit this url to subscribe, unsubscribe and manage your 
> subscription preferences:
> http://lists.runrev.com/mailman/listinfo/use-revolution
>
>




More information about the Use-livecode mailing list