J. Landman Gay
jacque at hyperactivesw.com
Thu Feb 21 12:13:34 CST 2008
Dave Cragg wrote:
> Sorry to prolong this, Jacque.
Not at all. I think the discussion is valuable. I am fairly sure that
Rev is more secure than some other CGI implementations but I'd like to
know that for certain.
> The "internal server error" is returned
> by Apache, and only indicates that things "didn't work", but not
> necessarily that nothing happened. I tried calling this URL:
> I get the "500 internal server error", but in the Apache error log I see
> revolution: Can't load stack or script 12345
> [Thu Feb 21 10:41:45 2008] [error] [client 127.0.0.1] Premature end of
> script headers: /Library/WebServer/CGI-Executables/revolution
Right, I saw the same thing. The important part, I think, is that you
can't pass a parameter to the Rev engine unless there is a script on the
server that can parse those parameters (at least, that's what I think.
It's what I want to know for sure.) So, barring someone who physically
accesses the server and puts in a spy script, I don't think Rev will
work when passing parameters to the raw engine itself. But like I said,
I'd like this verified because right now I'm just guessing.
> Which suggests revolution started and "tried" to do something. That it
> fails (even when 12345 is substituted with a real stack) is reassuring.
> But then I wonder that the failure may be due to this being the Darwin
> engine and it never opens regular stacks.
The Darwin engine opens stacks okay, I have several CGIs that open and
use regular stacks. The key is that they are all opened by a CGI script,
and the browser calls those scripts in the URL. I have not been able to
get Rev to respond properly by just calling the engine alone from a
browser, with or without parameters. But I'm not an expert, so I'd like
to know if there is a way to do that. If there is, then that would be
the weak point in the engine.
> And Chipp confirmed that the
> Linux engine will open stacks from a script, and so I wonder if it might
> open stacks from a passed parameter.
Chipp and I talked about that. I have an older engine on my site, which
opens stacks fine with either the "library" or "start using" commands;
it is only the "open" command that fails. Apparently this was changed in
a later engine version, so that "open" also works (I should update the
engine on my server, I guess.) But regardless, my scripts do open and
use stacks on the server even with the older engine, in both Darwin and
Linux environments. What I can't make Rev do is open a stack without
having a CGI script in place to do that.
> So instead of losing sleep, I just
> put the engine outside the cgi-bin folder.
I think this is a safe thing to do. Mainly I just want to verify, for my
own curiosity, whether Rev is as secure as Scott Raney implied. So far I
can't make it do anything it shouldn't -- but like I said, I'm no 'nix
expert and I'd need some help crafting a URL that would do the deed. If
anyone is willing to bang on the engine this way, I'd like to know what
they find out.
Jacqueline Landman Gay | jacque at hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
More information about the use-livecode