RevCGI Hosts?

J. Landman Gay jacque at hyperactivesw.com
Wed Feb 20 12:54:33 EST 2008


Dave Cragg wrote:

> My concern was that if the engine is in the cgi-bin folder, you can 
> attempt to call the engine directly. For example, if the engine is named 
> "rev", then what happens when you request the url 
> "http://some.server.com/cgi-bin/rev"

I get an "internal server error" and nothing happens.

> 
> Will Apache try to start the engine?

Doesn't look like it, or if it does, it won't work. I think that's what 
Scott Raney was saying. The only vulnerabilities the engine allows are 
the ones you write into your scripts yourself.

> My understanding of Apache and the 
> cgi-bin folder suggests that it will. (But am not certain.) Normally, I 
> think nothing will happen and the engine will immediately close. But if 
> it were possible to coerce Apache to send parameters when opening the 
> engine, the risks seem higher.

I'm not sure how to pass parameters like that. If someone knows, I'd 
like to test it.

> As I said, I'm reasonably confident this can't be done with Rev. (But it 
> will accept parameters.) But it's usually not a problem to put the 
> engine somewhere outside of the cgi-bin folder and adjust the top line 
> of the script accordingly.
> 
> The other advantage is that starting a script with #!usr/bin/revbin/rev 
> or #!../rev makes you look more knowledgeable than simply using #!rev   
> It's like the subtle difference between quiche and egg pie. You'll swear 
> your scripts run faster. :-)

I can't argue with that. :)

BTW, even though I said I just name my cgi engine "rev", I lied. I 
didn't. I named it something unguessable, just to be safe. So you and I 
aren't so different after all.

-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com



More information about the Use-livecode mailing list