AltME groups homeHelpJoin REBOL3 world
  Find AltME posts   Help

Recent posts

Worlds:r4wpr3wp
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
14-Nov 6:14 UTC
[0.047] 17.381k
r3wp [groups: 83 posts: 189283]
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

World: r3wp

Join the discussions in the REBOL3 world...

[CGI] web server issues

older
newer		first
last
Pekr
5-Dec-2005
[330x2]
ok, now I tried it, Graham. I used Total Commander to copy it over 
ftp there. I got correct user and group permissions, but I had to 
chmod it directly on server to 755

what should I do to not need it?
Graham
5-Dec-2005
[332]
Huh?
Pekr
5-Dec-2005
[333]
what permission does rebol need in linux filesystem?
Graham
5-Dec-2005
[334x2]
most hosts set up perl is some bin directory and the shebang points 
to that... but most hosts won't do that for rebol for you.  so,you 
have to put rebol in the cgi-bin

I think I just use 755
Pekr
5-Dec-2005
[336x2]
-rwxrwxr-x  1 cod-okna cod-okna   1504 Dec  5 22:24 pokus.cgi
-rwxrwxr-x  1 cod-okna cod-okna    284 Jan  3  2004 pokus.r
-rwxrwxr-x  1 cod-okna cod-okna 366148 Dec  5 11:26 rebol

yes, but the trouble is, that when I copied it there, it had something 
even lower ...
Graham
5-Dec-2005
[338]
when you copy it, it is made not executable.. you have to change 
it
Pekr
5-Dec-2005
[339x2]
IIRC there was something like "s"  - sticky bit for particular directory, 
but not sure if related ...

yes, but if all you have is ftp account, not console? How do you 
change it?
Graham
5-Dec-2005
[341]
ftp client can do that for you
Pekr
5-Dec-2005
[342x2]
what permission shouls scripts have, 755 or 775?

maybe I use 775 and it it not needed it to have it so high?
Graham
5-Dec-2005
[344x2]
doesn't need to be able to be read

I mean group or world write
Volker
5-Dec-2005
[346x3]
1) should be secure. decode-cgi should put only strings in the data, 
nothing executable. (i use a lot "should" when it comes to security 
and i did not double-check).
But why do you do that? simply 
 mold decode-cgi
should give the same.

correction, that response was for 2)

1) trap errors. Big 

 if not attempt[ your code here][ print [header "You triggered some 
 error" footer]
Pekr
5-Dec-2005
[349x3]
ad 2) preparation for table output ... simple mold was quick option 
... I just wanted to know ...

thanks for 1), I thought so, but did not thought it could be so easy 
:-)

what about 3)? Graham said that FTP client should allow me to set 
permission, but I can't find any option to do it in FTP Total Commander 
provides ...
Volker
5-Dec-2005
[352x3]
3) I would not put rebol in cgi-bin. If it is there, one can call 
the rebol-exe from the outside, without it doing a string. Never 
tried that, but it may think post-data is console-input. rights should 
be 755, only you can modify, but everyone can read it. the server 
may call it as "somebody else", and so it must be readable for that 
"user"

2) decode-cgi builds the data itself AFAIK. does not use load. so 
all data should be strings. i am not sure about words, i guess they 
are bound. when you only fetch the words and turn them immediate 
in a string, that should be ok. the usual way is 
 construct decode-cgi
that result is save, because all words are bound to that context.

3) a good client can do that. so i guess yours has an option somewhere.
Pekr
5-Dec-2005
[355x2]
well, but as for 3) if I only edit my script, overwrite it, the permission 
(after copying it back to ftp) will be preserved. But if I add script, 
it has insufficient permission once again ...

ok, will look around in Total Commander ...
Graham
5-Dec-2005
[357]
Volker, people say it should not go in cgi-bin .. I have yet to see 
an exploit for this.
Volker
5-Dec-2005
[358]
i am curious. what is your url?
Graham
5-Dec-2005
[359]
If you call it .. so what?  You can't feed it parameters.
Pekr
5-Dec-2005
[360]
Ah, found it! Nice, it is in the first menu "Change attributes" ....
Volker
5-Dec-2005
[361]
if i post something, that goes to "console". I do not know how rebol 
handles that. Hopefully it is smart enough to do nothing.
Pekr
5-Dec-2005
[362]
Volker: http://www.cod-okna.cz/cgi-bin/rebol
Volker
5-Dec-2005
[363]
i try that post-thing. hope graham is right.
Graham
5-Dec-2005
[364]
thinking about it .. you would have to have a script in the cgi-bin 
directory that the remote user could exploit.
Volker
5-Dec-2005
[365]
when you start rebol without script, it takes commands from console.. 
at least with from a real console..
Graham
5-Dec-2005
[366]
Hmm.  So, the remote user could start up multiple consoles?
Volker
5-Dec-2005
[367]
if that works. never really tried.
Pekr
5-Dec-2005
[368x2]
can user go outside his cgi-bin directory, if he copies there script, 
with -cs option?

but console ends imo, no?
Volker
5-Dec-2005
[370]
with the -s yes.
Graham
5-Dec-2005
[371]
What if the remote user calls rebol with a url as a parameter... 
?
Pekr
5-Dec-2005
[372x3]
uh ...

but how you give it a parameter? do you make it part of url? But 
apache will fail, no?

take my above url as an example
Graham
5-Dec-2005
[375]
well, rebol will take a url as a command line parameter
Volker
5-Dec-2005
[376]
I think url are passed in another way. in read-cgi is "system/options/cgi/query-string"
Graham
5-Dec-2005
[377]
http://www.cod-okna.cz/cgi-bin/rebolhttp://www.compkarori.com/test.r


The requested URL /cgi-bin/rebol http://www.compkarori.com/test.r
was not found on this server.
Apache/2.0.50 (Fedora) Server at www.cod-okna.cz Port 80
Volker
5-Dec-2005
[378x2]
the basics should be something like this. but does not work.

probe read/custom http://www.cod-okna.cz/cgi-bin/rebol[
 post {print "content-type: text/plain^/^/oho^/"}
]
older
newer		first
last