Dave Cragg wrote:
My concern was that if the engine is in the cgi-bin folder, you can
attempt to call the engine directly. For example, if the engine is named
"rev", then what happens when you request the url
"http://some.server.com/cgi-bin/rev";
I get an "internal server error" and nothing happens.
Will Apache try to start the engine?
Doesn't look like it, or if it does, it won't work. I think that's what
Scott Raney was saying. The only vulnerabilities the engine allows are
the ones you write into your scripts yourself.
My understanding of Apache and the
cgi-bin folder suggests that it will. (But am not certain.) Normally, I
think nothing will happen and the engine will immediately close. But if
it were possible to coerce Apache to send parameters when opening the
engine, the risks seem higher.
I'm not sure how to pass parameters like that. If someone knows, I'd
like to test it.
As I said, I'm reasonably confident this can't be done with Rev. (But it
will accept parameters.) But it's usually not a problem to put the
engine somewhere outside of the cgi-bin folder and adjust the top line
of the script accordingly.
The other advantage is that starting a script with #!usr/bin/revbin/rev
or #!../rev makes you look more knowledgeable than simply using #!rev
It's like the subtle difference between quiche and egg pie. You'll swear
your scripts run faster. :-)
I can't argue with that. :)
BTW, even though I said I just name my cgi engine "rev", I lied. I
didn't. I named it something unguessable, just to be safe. So you and I
aren't so different after all.
--
Jacqueline Landman Gay | [EMAIL PROTECTED]
HyperActive Software | http://www.hyperactivesw.com
_______________________________________________
use-revolution mailing list
[email protected]
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
