J. Landman Gay
jacque at hyperactivesw.com
Wed Feb 20 12:54:33 EST 2008
Dave Cragg wrote:
> My concern was that if the engine is in the cgi-bin folder, you can
> attempt to call the engine directly. For example, if the engine is named
> "rev", then what happens when you request the url
I get an "internal server error" and nothing happens.
> Will Apache try to start the engine?
Doesn't look like it, or if it does, it won't work. I think that's what
Scott Raney was saying. The only vulnerabilities the engine allows are
the ones you write into your scripts yourself.
> My understanding of Apache and the
> cgi-bin folder suggests that it will. (But am not certain.) Normally, I
> think nothing will happen and the engine will immediately close. But if
> it were possible to coerce Apache to send parameters when opening the
> engine, the risks seem higher.
I'm not sure how to pass parameters like that. If someone knows, I'd
like to test it.
> As I said, I'm reasonably confident this can't be done with Rev. (But it
> will accept parameters.) But it's usually not a problem to put the
> engine somewhere outside of the cgi-bin folder and adjust the top line
> of the script accordingly.
> The other advantage is that starting a script with #!usr/bin/revbin/rev
> or #!../rev makes you look more knowledgeable than simply using #!rev
> It's like the subtle difference between quiche and egg pie. You'll swear
> your scripts run faster. :-)
I can't argue with that. :)
BTW, even though I said I just name my cgi engine "rev", I lied. I
didn't. I named it something unguessable, just to be safe. So you and I
aren't so different after all.
Jacqueline Landman Gay | jacque at hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
More information about the Use-livecode