RevCGI Hosts?

Dave Cragg dave.cragg at lacscentre.co.uk
Thu Feb 21 05:03:57 CST 2008


On 20 Feb 2008, at 17:54, J. Landman Gay wrote:

> Dave Cragg wrote:
>
>> My concern was that if the engine is in the cgi-bin folder, you  
>> can attempt to call the engine directly. For example, if the  
>> engine is named "rev", then what happens when you request the url  
>> "http://some.server.com/cgi-bin/rev"
>
> I get an "internal server error" and nothing happens.
>
>> Will Apache try to start the engine?
>
> Doesn't look like it, or if it does, it won't work. I think that's  
> what Scott Raney was saying. The only vulnerabilities the engine  
> allows are the ones you write into your scripts yourself.

Sorry to prolong this, Jacque. The "internal server error" is  
returned by Apache, and only indicates that things "didn't work", but  
not necessarily that nothing happened. I tried calling this URL:

http://localhost/cgi-bin/revolution?12345

I get the "500 internal server error", but in the Apache error log I  
see this:

revolution: Can't load stack or script 12345
[Thu Feb 21 10:41:45 2008] [error] [client 127.0.0.1] Premature end  
of script headers: /Library/WebServer/CGI-Executables/revolution

Which suggests revolution started and "tried" to do something. That  
it fails (even when 12345 is substituted with a real stack) is  
reassuring. But then I wonder that the failure may be due to this  
being the Darwin engine and it never opens regular stacks. And Chipp  
confirmed that the Linux engine will open stacks from a script, and  
so I wonder if it might open stacks from a passed parameter. So  
instead of losing sleep, I just put the engine outside the cgi-bin  
folder.

Dave



More information about the use-livecode mailing list