possibility of the direct access to revolution engine (or any other file
in cgi-bin) can be completely eliminated by putting .htaccess file with
the following content into the cgi-bin directory:
RewriteEngine on
RewriteRule ^(.*)(rev|revolution)(.*) http://localhost/cgi-bin/ [nc]
Now everyone trying to invoke rev or revolution from the outside world
will be redirected to his own localhost.
best wishes!
Viktoras
Dave Cragg wrote:
On 20 Feb 2008, at 01:54, J. Landman Gay wrote:
I think we can relax as long as we don't script anything stupid. Here
are a couple of quotes from Scott Raney about it:
Hi Jacque
It wasn't the script content I was concerned about. Scripting problems
exist wherever the engine is.
My concern was that if the engine is in the cgi-bin folder, you can
attempt to call the engine directly. For example, if the engine is
named "rev", then what happens when you request the url
"http://some.server.com/cgi-bin/rev"
Will Apache try to start the engine? My understanding of Apache and
the cgi-bin folder suggests that it will. (But am not certain.)
Normally, I think nothing will happen and the engine will immediately
close. But if it were possible to coerce Apache to send parameters
when opening the engine, the risks seem higher. In the case of the
Windows Perl executable, I think Apache sent any query string attached
to the url as a parameter. In some circumstances (forget details) the
Perl executable will attempt to execute scripts passed as parameters.
It was possible to craft a query string that would cause Perls to
execute scripts.
As I said, I'm reasonably confident this can't be done with Rev. (But
it will accept parameters.) But it's usually not a problem to put the
engine somewhere outside of the cgi-bin folder and adjust the top line
of the script accordingly.
The other advantage is that starting a script with
#!usr/bin/revbin/rev or #!../rev makes you look more knowledgeable
than simply using #!rev It's like the subtle difference between
quiche and egg pie. You'll swear your scripts run faster. :-)
Cheers
Dave
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your
subscription preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
_______________________________________________
use-revolution mailing list
use-revolution@lists.runrev.com
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution