On 20 Feb 2008, at 17:54, J. Landman Gay wrote:
Dave Cragg wrote:
My concern was that if the engine is in the cgi-bin folder, you
can attempt to call the engine directly. For example, if the
engine is named "rev", then what happens when you request the url
"http://some.server.com/cgi-bin/rev";
I get an "internal server error" and nothing happens.
Will Apache try to start the engine?
Doesn't look like it, or if it does, it won't work. I think that's
what Scott Raney was saying. The only vulnerabilities the engine
allows are the ones you write into your scripts yourself.
Sorry to prolong this, Jacque. The "internal server error" is
returned by Apache, and only indicates that things "didn't work", but
not necessarily that nothing happened. I tried calling this URL:
http://localhost/cgi-bin/revolution?12345
I get the "500 internal server error", but in the Apache error log I
see this:
revolution: Can't load stack or script 12345
[Thu Feb 21 10:41:45 2008] [error] [client 127.0.0.1] Premature end
of script headers: /Library/WebServer/CGI-Executables/revolution
Which suggests revolution started and "tried" to do something. That
it fails (even when 12345 is substituted with a real stack) is
reassuring. But then I wonder that the failure may be due to this
being the Darwin engine and it never opens regular stacks. And Chipp
confirmed that the Linux engine will open stacks from a script, and
so I wonder if it might open stacks from a passed parameter. So
instead of losing sleep, I just put the engine outside the cgi-bin
folder.
Dave
_______________________________________________
use-revolution mailing list
[email protected]
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
