Dave Cragg wrote:
Sorry to prolong this, Jacque.
Not at all. I think the discussion is valuable. I am fairly sure that
Rev is more secure than some other CGI implementations but I'd like to
know that for certain.
The "internal server error" is returned
by Apache, and only indicates that things "didn't work", but not
necessarily that nothing happened. I tried calling this URL:
http://localhost/cgi-bin/revolution?12345
I get the "500 internal server error", but in the Apache error log I see
this:
revolution: Can't load stack or script 12345
[Thu Feb 21 10:41:45 2008] [error] [client 127.0.0.1] Premature end of
script headers: /Library/WebServer/CGI-Executables/revolution
Right, I saw the same thing. The important part, I think, is that you
can't pass a parameter to the Rev engine unless there is a script on the
server that can parse those parameters (at least, that's what I think.
It's what I want to know for sure.) So, barring someone who physically
accesses the server and puts in a spy script, I don't think Rev will
work when passing parameters to the raw engine itself. But like I said,
I'd like this verified because right now I'm just guessing.
Which suggests revolution started and "tried" to do something. That it
fails (even when 12345 is substituted with a real stack) is reassuring.
But then I wonder that the failure may be due to this being the Darwin
engine and it never opens regular stacks.
The Darwin engine opens stacks okay, I have several CGIs that open and
use regular stacks. The key is that they are all opened by a CGI script,
and the browser calls those scripts in the URL. I have not been able to
get Rev to respond properly by just calling the engine alone from a
browser, with or without parameters. But I'm not an expert, so I'd like
to know if there is a way to do that. If there is, then that would be
the weak point in the engine.
And Chipp confirmed that the
Linux engine will open stacks from a script, and so I wonder if it might
open stacks from a passed parameter.
Chipp and I talked about that. I have an older engine on my site, which
opens stacks fine with either the "library" or "start using" commands;
it is only the "open" command that fails. Apparently this was changed in
a later engine version, so that "open" also works (I should update the
engine on my server, I guess.) But regardless, my scripts do open and
use stacks on the server even with the older engine, in both Darwin and
Linux environments. What I can't make Rev do is open a stack without
having a CGI script in place to do that.
So instead of losing sleep, I just
put the engine outside the cgi-bin folder.
I think this is a safe thing to do. Mainly I just want to verify, for my
own curiosity, whether Rev is as secure as Scott Raney implied. So far I
can't make it do anything it shouldn't -- but like I said, I'm no 'nix
expert and I'd need some help crafting a URL that would do the deed. If
anyone is willing to bang on the engine this way, I'd like to know what
they find out.
--
Jacqueline Landman Gay | [EMAIL PROTECTED]
HyperActive Software | http://www.hyperactivesw.com
_______________________________________________
use-revolution mailing list
[email protected]
Please visit this url to subscribe, unsubscribe and manage your subscription
preferences:
http://lists.runrev.com/mailman/listinfo/use-revolution
