On 8/7/05, Kai Peters <[EMAIL PROTECTED]> wrote: >=20 > Thanks Sunanda - that was actually the first thing I tried and it didn't > work initially. Must have screwed up the upload!?! > Didn't know about clean-path which comes in handy - lots to learn! >=20 > Using the script below, it now finds and displays the files. But all > relative links from the files displayed via the Rebol script (to images > & css scripts) are broken. > Such as: <img src=3D"images/header.png" alt=3D"ZooBase Logo" width=3D"750= " > height=3D"90" border=3D"0"> and "href=3D"zbstyles.css" >=20 > I have tried playing with change-dir in the script and changing the > links in my html files to something like: "../httpdocs/images/header.png > - all to no avail! >=20 > What do I need to do to make this work? >=20
If i had path-problems, i would dump directories from the cgi. Showing me %../, %../ etc from the "perspective" of the rebol-script. And then try to find the same by ftp. if they match, i have a base-path. for security, there are two ways. A basic one is using secure, like secure[file quit %../../httpdocs/ [allow read] %../user-contrib/ [allow]] you can check that with=20 probe secure query If the script tries to go out of that sandbox, it auto-quits. But you want the script to read, say passwords, so have to allow that by secure, but not by malicious user-input. First step: clean-path !> clean-path %webconsole/../.. =3D=3D %/home/ No more tricky %.. inside Next one, checking for basedir: !>find/match clean-path %webconsole/myfile clean-path %webconsole/ =3D=3D %myfile !>find/match clean-path %webconsole/../../volker clean-path %webconsole/ =3D=3D none find/match checks for abbreviations. So data-dir: clean-path %somewhere/ file: clean-path user-input if find/match file data-dir[ "its ok to read" ] find > Thanks again, > Kai >=20 >=20 > #!/home/httpd/vhosts/<my domain>/cgi-bin/rebol -cs > REBOL [] > cgiparams: system/options/cgi/query-string > print "Content-type: text/html^/" > destpage: first parse/all cgiparams "&" > destpage: second parse/all destpage "=3D" > ;**************************************************** > ; does the replace make it safe enough? > ;**************************************************** > filename: rejoin [ %../httpdocs/ replace/all destpage "/" "@" ".html" ] > either exists? filename [ > html: read/lines filename > print html > ][ > print ["couldn't find " filename clean-path filename] > ] >=20 > -- > To unsubscribe from the list, just send an email to > lists at rebol.com with unsubscribe as the subject. >=20 >=20 --=20 -Volker "Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem." David Wheeler -- To unsubscribe from the list, just send an email to lists at rebol.com with unsubscribe as the subject.
