including a file on on-rev

J. Landman Gay jacque at hyperactivesw.com
Tue Nov 3 19:15:54 EST 2009 

Alex Tweedly wrote:
> J. Landman Gay wrote:
>> Yeah, this has been harrassing me. I'm pretty sure a path like this 
>> would work but I haven't tried it yet: ~/path/to/includeFile. I'm 
>> going to test it, that would be way easier.
>>
> No - already guesses that one and tried it. "File not found"

This works though:

<?rev include "/home/jacque/public_html/myinclude.irev" ?>


>>  (b) isn't it a (minor) security issue ?
>>
>> No, because it's revTalk. The browser never sees the file path, only 
>> the contents of the file. To the outside, it looks like hard-coded html.

> Different issue. I was concerned about simply guessing the directory 
> name, and hence seeing the include files. Of course, since they are 
> .irev files, you can't simply download them but you can see their names, 
> guess their function, etc. and in some cases retrieving them will give 
> some info about the internals of the site. And in a couple of cases I've 
> just tried, there are other kinds of files in the includes (or inc) 
> directory. (Apologies to anyone who notices me snooping around their 
> site ;-)

Isn't that true of any site though? I've set my site not to display file 
listings, and anyone who tries should get a "forbidden" error page. It's 
an option in cPanel. Or you mean something else?

>> I don't think you'd have to, since the path is never sent to the 
>> browser. Alternately, I suppose you could store the includes outside 
>> the web folder. A path is a path, right?
>>
> I didn't think you can do this - but you can.

I know. It's pretty common I guess, I first read about it some years ago 
when researching something else. People writing to various forums 
sometimes recommend storing files there because outsiders can't see or 
download them.

> And that's kind of scary. 
> It means that a script error (or deliberate misuse) in any of your 
> add-on domains can see and alter all files, including those in other 
> add-on domains.  I'm not sure this is a "feature", it feels more like a 
> "bug" (or at least, a "problem").

If so, it's a problem for any site using any language. PHP could do the 
same thing.

-- 
Jacqueline Landman Gay         |     jacque at hyperactivesw.com
HyperActive Software           |     http://www.hyperactivesw.com

More information about the use-livecode mailing list