Serving Videos with LC/iRev

Richard Gaskin ambassador at fourthworld.com
Mon Nov 28 23:45:19 CET 2016


Rick Harrison wrote:

 >> On Nov 28, 2016, at 4:44 PM, Stephen Barncard wrote:
 >>
 >> FYI  the PHP forums mentioned devious ways to get info from folders
 >> outside of web root using INCLUDE.
 >>
 >> In a test with LIVECODE SERVER I was able to get html data from a
 >> text file inside of a folder above a web root using INCLUDE  but I
 >> didn't explore further.
 >
 > Hmm.. that’s rather disturbing for security isn’t it.
 > So much for PHP.  That’s why it’s best not to
 > set up PHP to be able to be used on servers.

Just about any language that can support file I/O can read and write 
files from any location it has access to.

Scripting engines don't generally care whether they're asked to read:

     /home/user/htdocs/something.lc

...or:

    /home/user/something.lc

If you set your folder and file permissions correctly, and properly 
sanitize inputs, there's nothing inherently unsafe about it.

On the contrary, sometimes it can be safer to be able to make use of 
data stored outside the web root, under the control of your script.

For example, Wordpress, Drupal, and most other systems that need to 
connect to a database need to store the password to the DB somewhere. 
Keeping that in the web root would be unsafe, so those systems usually 
keep it outside of that.

In most of my server systems I even keep stack files outside of the web 
root, served up with my CGI.  This keeps them safely away from spiders, 
and allows me to ensure authentication before access.

-- 
  Richard Gaskin
  Fourth World Systems
  Software Design and Development for the Desktop, Mobile, and the Web
  ____________________________________________________________________
  Ambassador at FourthWorld.com                http://www.FourthWorld.com



More information about the use-livecode mailing list