RevCGI Hosts?

J. Landman Gay jacque at hyperactivesw.com
Thu Feb 21 13:13:34 EST 2008 

Dave Cragg wrote:

> Sorry to prolong this, Jacque.

Not at all. I think the discussion is valuable. I am fairly sure that 
Rev is more secure than some other CGI implementations but I'd like to 
know that for certain.

> The "internal server error" is returned 
> by Apache, and only indicates that things "didn't work", but not 
> necessarily that nothing happened. I tried calling this URL:
> 
> http://localhost/cgi-bin/revolution?12345
> 
> I get the "500 internal server error", but in the Apache error log I see 
> this:
> 
> revolution: Can't load stack or script 12345
> [Thu Feb 21 10:41:45 2008] [error] [client 127.0.0.1] Premature end of 
> script headers: /Library/WebServer/CGI-Executables/revolution

Right, I saw the same thing. The important part, I think, is that you 
can't pass a parameter to the Rev engine unless there is a script on the 
server that can parse those parameters (at least, that's what I think. 
It's what I want to know for sure.) So, barring someone who physically 
accesses the server and puts in a spy script, I don't think Rev will 
work when passing parameters to the raw engine itself. But like I said, 
I'd like this verified because right now I'm just guessing.

> 
> Which suggests revolution started and "tried" to do something. That it 
> fails (even when 12345 is substituted with a real stack) is reassuring. 
> But then I wonder that the failure may be due to this being the Darwin 
> engine and it never opens regular stacks.

The Darwin engine opens stacks okay, I have several CGIs that open and 
use regular stacks. The key is that they are all opened by a CGI script, 
and the browser calls those scripts in the URL. I have not been able to 
get Rev to respond properly by just calling the engine alone from a 
browser, with or without parameters. But I'm not an expert, so I'd like 
to know if there is a way to do that. If there is, then that would be 
the weak point in the engine.

> And Chipp confirmed that the 
> Linux engine will open stacks from a script, and so I wonder if it might 
> open stacks from a passed parameter.

Chipp and I talked about that. I have an older engine on my site, which 
opens stacks fine with either the "library" or "start using" commands; 
it is only the "open" command that fails. Apparently this was changed in 
a later engine version, so that "open" also works (I should update the 
engine on my server, I guess.) But regardless, my scripts do open and 
use stacks on the server even with the older engine, in both Darwin and 
Linux environments. What I can't make Rev do is open a stack without 
having a CGI script in place to do that.

> So instead of losing sleep, I just 
> put the engine outside the cgi-bin folder.

I think this is a safe thing to do. Mainly I just want to verify, for my 
own curiosity, whether Rev is as secure as Scott Raney implied. So far I 
can't make it do anything it shouldn't -- but like I said, I'm no 'nix 
expert and I'd need some help crafting a URL that would do the deed. If 
anyone is willing to bang on the engine this way, I'd like to know what 
they find out.

-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com

More information about the use-livecode mailing list