World: r3wp

Has it actually been released?  I thought last word was that it was 
due for some optimization...

I just today was supposed to do quick small form maintanance using 
Rebol. My friend gave-up on php, as he can't code. So - basically 
it all worked, I just have few questions:

1) How do I prevent printing rebol output, e.g. error messages to 
the browser? What is general aproach here? Should it be avoided to 
not eventually disclose script's content?

2) how secure is following? 

str: copy ""
result: decode-cgi read-cgi

foreach [word valu] result [append str join "" [word ":    " value 
newline]


I mean - above block in 'join statement is reduced - is it secure?

3) I have older version of rebcmd from linux sdk I bought. But it 
did not used 'read-cgi at that time (well, here we are with SDK coming 
late ;-) My question is - I uploaded rebol core into cgi-bin directory:
a) is it desirable aproach or should it be avoided?

b) how do I assure, that if I ftp rebol executable to cgi-bin dir, 
to have sufficient right of the target directory, so that it could 
be run?

mostly that's where i put it .. I can't put it anywhere else

ok, now I tried it, Graham. I used Total Commander to copy it over 
ftp there. I got correct user and group permissions, but I had to 
chmod it directly on server to 755

what should I do to not need it?

Huh?

what permission does rebol need in linux filesystem?

most hosts set up perl is some bin directory and the shebang points 
to that... but most hosts won't do that for rebol for you.  so,you 
have to put rebol in the cgi-bin

I think I just use 755

-rwxrwxr-x  1 cod-okna cod-okna   1504 Dec  5 22:24 pokus.cgi
-rwxrwxr-x  1 cod-okna cod-okna    284 Jan  3  2004 pokus.r
-rwxrwxr-x  1 cod-okna cod-okna 366148 Dec  5 11:26 rebol

yes, but the trouble is, that when I copied it there, it had something 
even lower ...

when you copy it, it is made not executable.. you have to change 
it

IIRC there was something like "s"  - sticky bit for particular directory, 
but not sure if related ...

yes, but if all you have is ftp account, not console? How do you 
change it?

ftp client can do that for you

what permission shouls scripts have, 755 or 775?

maybe I use 775 and it it not needed it to have it so high?

doesn't need to be able to be read

I mean group or world write

1) should be secure. decode-cgi should put only strings in the data, 
nothing executable. (i use a lot "should" when it comes to security 
and i did not double-check).
But why do you do that? simply 
 mold decode-cgi
should give the same.

correction, that response was for 2)

1) trap errors. Big 

 if not attempt[ your code here][ print [header "You triggered some 
 error" footer]

ad 2) preparation for table output ... simple mold was quick option 
... I just wanted to know ...

thanks for 1), I thought so, but did not thought it could be so easy 
:-)

what about 3)? Graham said that FTP client should allow me to set 
permission, but I can't find any option to do it in FTP Total Commander 
provides ...

3) I would not put rebol in cgi-bin. If it is there, one can call 
the rebol-exe from the outside, without it doing a string. Never 
tried that, but it may think post-data is console-input. rights should 
be 755, only you can modify, but everyone can read it. the server 
may call it as "somebody else", and so it must be readable for that 
"user"

2) decode-cgi builds the data itself AFAIK. does not use load. so 
all data should be strings. i am not sure about words, i guess they 
are bound. when you only fetch the words and turn them immediate 
in a string, that should be ok. the usual way is 
 construct decode-cgi
that result is save, because all words are bound to that context.

3) a good client can do that. so i guess yours has an option somewhere.

well, but as for 3) if I only edit my script, overwrite it, the permission 
(after copying it back to ftp) will be preserved. But if I add script, 
it has insufficient permission once again ...

ok, will look around in Total Commander ...

Volker, people say it should not go in cgi-bin .. I have yet to see 
an exploit for this.

i am curious. what is your url?

If you call it .. so what?  You can't feed it parameters.

Ah, found it! Nice, it is in the first menu "Change attributes" ....

if i post something, that goes to "console". I do not know how rebol 
handles that. Hopefully it is smart enough to do nothing.

Volker: http://www.cod-okna.cz/cgi-bin/rebol

i try that post-thing. hope graham is right.

thinking about it .. you would have to have a script in the cgi-bin 
directory that the remote user could exploit.

when you start rebol without script, it takes commands from console.. 
at least with from a real console..

Hmm.  So, the remote user could start up multiple consoles?

if that works. never really tried.

can user go outside his cgi-bin directory, if he copies there script, 
with -cs option?

but console ends imo, no?

with the -s yes.

What if the remote user calls rebol with a url as a parameter... 
?

uh ...

but how you give it a parameter? do you make it part of url? But 
apache will fail, no?