including a file on on-rev
J. Landman Gay
jacque at hyperactivesw.com
Tue Nov 3 18:15:54 CST 2009
Alex Tweedly wrote:
> J. Landman Gay wrote:
>> Yeah, this has been harrassing me. I'm pretty sure a path like this
>> would work but I haven't tried it yet: ~/path/to/includeFile. I'm
>> going to test it, that would be way easier.
> No - already guesses that one and tried it. "File not found"
This works though:
<?rev include "/home/jacque/public_html/myinclude.irev" ?>
>> (b) isn't it a (minor) security issue ?
>> No, because it's revTalk. The browser never sees the file path, only
>> the contents of the file. To the outside, it looks like hard-coded html.
> Different issue. I was concerned about simply guessing the directory
> name, and hence seeing the include files. Of course, since they are
> .irev files, you can't simply download them but you can see their names,
> guess their function, etc. and in some cases retrieving them will give
> some info about the internals of the site. And in a couple of cases I've
> just tried, there are other kinds of files in the includes (or inc)
> directory. (Apologies to anyone who notices me snooping around their
> site ;-)
Isn't that true of any site though? I've set my site not to display file
listings, and anyone who tries should get a "forbidden" error page. It's
an option in cPanel. Or you mean something else?
>> I don't think you'd have to, since the path is never sent to the
>> browser. Alternately, I suppose you could store the includes outside
>> the web folder. A path is a path, right?
> I didn't think you can do this - but you can.
I know. It's pretty common I guess, I first read about it some years ago
when researching something else. People writing to various forums
sometimes recommend storing files there because outsiders can't see or
> And that's kind of scary.
> It means that a script error (or deliberate misuse) in any of your
> add-on domains can see and alter all files, including those in other
> add-on domains. I'm not sure this is a "feature", it feels more like a
> "bug" (or at least, a "problem").
If so, it's a problem for any site using any language. PHP could do the
Jacqueline Landman Gay | jacque at hyperactivesw.com
HyperActive Software | http://www.hyperactivesw.com
More information about the use-livecode