AltME groups: search

3) I would not put rebol in cgi-bin. If it is there, one can call 
the rebol-exe from the outside, without it doing a string. Never 
tried that, but it may think post-data is console-input. rights should 
be 755, only you can modify, but everyone can read it. the server 
may call it as "somebody else", and so it must be readable for that 
"user"

2) decode-cgi builds the data itself AFAIK. does not use load. so 
all data should be strings. i am not sure about words, i guess they 
are bound. when you only fetch the words and turn them immediate 
in a string, that should be ok. the usual way is 
 construct decode-cgi
that result is save, because all words are bound to that context.

3) a good client can do that. so i guess yours has an option somewhere.

thinking about it .. you would have to have a script in the cgi-bin 
directory that the remote user could exploit.

when you start rebol without script, it takes commands from console.. 
at least with from a real console..

What if the remote user calls rebol with a url as a parameter... 
?

but how you give it a parameter? do you make it part of url? But 
apache will fail, no?

well, rebol will take a url as a command line parameter

another try, Pekr does not find a new file.

No, that should only run, make a file in rebols dir and quit. Hmm, 
in the current dir, where is that?

well, but it is good option to simply make nearly whatever provider 
a rebol hoster :-)

Petr: <<I mean - above block in 'join statement is reduced - is it 
secure?>>

That should be okay.  You could just do a construct/with to create 
an object.

If you are intending to create an object, then pre-process the block 
from decode-cgi to ensure that the word "self" is not used as a keyword 
(tip courtesy of Chris RG, if I remember rightly).

i mean a main app in c.

he's trying to start it up and leave a console running

No, the second time i do a wait. that should be slower.

but hard to exploit more. security is on, so only access to cgi-bin 
and childs. cgi-bin should not be writable by the cgi-user. except 
if cgis run as your account, then i could write a script with -cs 
and call that in the next step.

now - is it a rebol vulnerability? Or just putting rebol into cgi-bin 
is the simple cause?

but it could protect itself by checking for cgi without -c? So not 
a bug, but a missing feature?

how could it protect itself? How does it know it is in place to be 
run as a cgi interpreter?

REBOL does not have to be in the cgi-bin folder.

If it is elsewhere, have a shebang in the first line of each script 
to point to where the exexcutable is.
(apologies if I'm missing the point of the discussion here)

That would be a problem :-)

and since my cgi-local is a mapped directory, I can't create subdirectories

This is an odd one.  I have a form that records a user's email address, 
the time they filled in the form, and their ip address.

A user did so, and got two subscription notices - timed 30 seconds 
or so apart.  So, both were his email address, but the ip address 
of the later one was from Google!

Yep, that was it.  Mediapartners-Google/2.1 submitted the form again. 
 It looks like if you have the Google search bar, it submits all 
your internet traffic to google, who then go and try and index that 
site - including submitting your email address to a form!!

That's exactly what Google does.

It has some sites indexed purely because the developer visited the 
site while using a browser that had the Google toolbar active. Otherwise, 
the site would have remained invisible.


Of course that doesn't excuse the developer from putting up a private 
or incomplete site without password or other protection. There are 
otherways for private URLs to slip into public consciousness. The 
Google toolbar is simply the most widespread.

Graham: was that a GET or a POST form? It makes sense for them to 
record urls with parameters, but it would be disturbing if they where 
recording POST contents.

Good to know !!

Looking at some log on a server I have to administrate, Im affraid 
to see many request trying to find  some /ebay, /lassalebank, /admin, 
/phpmyadmin pages on the site.
Internet looks more and more like a jungle.

Then, no I think of putting "robots.txt" file, I just think that 
some hackers can use it to exactly do the opposite of what it's suppose 
to do. They probably have make som bots that  just pick all pages 
marks as 'dissalow in it. If you don't know the name of the pages, 
it's a good place to find some !!

Gabriele, it was supposed to be a POST form, but looking now at the 
source, I see I typed "type=post" instead of "method=post", so it 
turned out to be GET.

#!/rebol -sc 

of course. the -s swiches sandbox of. i then usually do a secure 
to my own folder first in the cgi.

I am running XP on my local computer. Out web host's server is running 
Red Hat Linux.


Which version of core should I use on the host server to run the 
cgi scripts?


If I download the proper Linux core interpreter to my  XP computer, 
and uncompress it using WinZip, will it be corrupted by XP?  How 
do I get a clean version of core to the Linux server?

500 Server Error

A misconfiguration on the server caused a hiccup. Check the server 
logs, fix the problem, then try again. URL: http://www.dayspringpublisher.com/cgi-bin/now.cgi

/home/daysprin/public_html/cgi-bin/now.cgi: Invalid shebang /dayspringpublisher.com/cgi-bin/rebol: 
Does not exist!

Sounds like either:
-- your script does not start wityh a shebang
-- it does, but the rebol.exe it points to is not there
-- you don;t have teh right line endings

the perl scripts may point to a common perl interpreter so may not 
help you either.

OK, now that cgi is working, I want to make a form that will allow 
people to give their name and email address to be saved in a rebol 
db file on the server for me to download at my convenience. Has anyone 
already done this so that I don't have to reinvent the wheel?

what is your precise mask for script itself? Try giving it 777 for 
a while, to see, if it is permission problem or not ... try to print 
newline at the end of the script ...

if it is .r, try to change it to .cgi for a while

Btw content of one of file in the interpreters dir:
#!/bin/bash
if [ -z "$REDIRECT_STATUS" ]; then
  echo -e "Content-Type: text/html\r\n\r
<b>Security Alert!</b> The Perl CGI cannot be accessed directly.


<p>This Perl CGI launcher is configured to require a redirect.  This

means that a page will only be served up if the REDIRECT_STATUS CGI 
variable 
is set, e.g. via an Apache Action directive.</p>


<p>For more information as to <i>why</i> this behaviour exists, see 
the <a href=\"http://php.net/security.cgi-bin\"> PHP manual page 
for CGI security</a>.</p>

 else
  export SCRIPT_NAME=${PATH_TRANSLATED##${DOCUMENT_ROOT}}
  
 export SCRIPT_FILENAME=$PATH_TRANSLATED
  /usr/bin/perl 
$SCRIPT_FILENAME"
fi


As newcomer in linux and apache I can only ques what it mean, but 
I am thinking about this line:
 This Perl CGI launcher is ...

ah, then this apache is configured strangely imo .... in Apache httpd.conf, 
you normally specify ScriptAlias for directory, where cgi is going 
to be placed. Then you can always manually set whatever directory, 
to perform cgi action by adding SetHandler cgi-script for specific 
directory .... but then all files in there are regarded being a cgi 
and Apache could try to run them ...

Janeks,. I think httpd.conf in in the 'confs' dir. I don't think 
that a normal host allows you access to that though.

I uploaded view but it it does not work - I just see error 500, but 
i think rview is the reason , because I changed in working script 
just first line that points to rebol executable.

Its a pitty - I wanted to add some funcionality above to my home 
page.

Q: Is it possible to add required libs? F.ex. just in the same dir.

Running View as a CGI can be a problem.
I don;t know any solutions to that.

switch to a windows host.  solves that.

I found that in my case on Linux RebViev needs linux-gate.so.1!

I tried to google for "download linux-gate.so.1", but there was a 
lot of links for different things and it seems form me that it is 
included in some installation packgage.

Could some body help with this library  an is it worthwile (will 
RebView takes it from current dit)?

petr, load/library is probably a bit different from what ldd does 
on startup. i suppose ldd wants current dir in the lib path to load 
libs from current dir (same issue as executing programs from current 
dir...)

first guess view may not work without X installed (does not on solaris) 
and there is no good reason to run X on a web server ... and then 
there are all those fiddley fonts

and if you do have X installed the cgi script is likely not run  
from a graphicly aware shell so there may be virtual frame buffers 
involved

I haven't set up Rebol with IIS myself, but my immediate reaction 
is to ask another question: "How much do you believe Microsoft?" 
Of course Microsoft will lead those who are a little unsure to believe 
that alternate software is less secure.

hmm, size-text - it does sound like a native. IMO it is wrapper for 
OS level function, returning pixel size of particular text .... could 
that be a problem of some missing os library?

Do you have a linux box at home to play with ? You could try install 
Rebol/View on it without X running and see what error you get...

size-text: xwindows is client/server. the x-server , that is your 
local computer, which offers to aplications to display things to 
you. And it has some important informations locally, especially the 
fonts (and can cache images and such).

/view needs access to the fonts and so access to a running x-server. 
the x-libs are only an interface to connect to the server. (The xserver-libs 
could be used directly, but well, /view does not do that. Seems to 
be tricky.)
A incomplete sketch how to do it, with no attention to security:

So with /view you need a running x-server, one way to do that  headless 
is vnc.  Can also run on another machine. 

Then you need to tell  rebol where it is, there is an env-var $DISPLAY. 
Which must be set before rebol runs. Did not figure out how to configure 
that. Running a bash-script as cgi, set  $DISPLAY, call the real 
rebol-script should work. And there may be issues with authentification, 
x-windows does not like everyone to connect by default, or the other 
way around, its too easy to make it too open ("xhost + ip"). There 
are more secure ways, but looked more complicated and i never tried. 
All in all i would run such things on windows.

Sounds like I should to think about other solutions of human control 
and image resizing & texts on them.
It is a pitty.

Human control could be organized by just set of image files with 
some "kidnaping" fonts letters and some simple script in Core.

Image resizing (f.ex. when uploading) theoreticaly could be done 
with Core - but it seems too much work for me now, because I dont 
know yet how image files is built and those resizing algorithms.
And about text placing on uploaded images I can forget.
All things above could be done in View just fine.
:(

It was good idea, that I made first my private blog site on Linux. 
Despite Rebol runs on so many systems - running the same things on 
other systems should be checked before. Especialy if there are no 
expierence of work on that system.


BTW I found in the google the similar response was caused from uncomplete 
View instalation: http://demo.rebol.net/list/list-msgs/34071.html
But it looks that this is not the case.

Henrik, at present I am converting PDFs to JPG, and since it uses 
ghostscript as well, it is not that fast ... but I don't have too 
long a wait.

I'm missing a compact solution to make high quality thumbs. if only 
DRAW was up to the task...

well, it's a no go for me. everything has to be bundled into a single 
lightweight package. I think it's a little absurd having to blow 
up the app by a factor of 2-5 in size, just to get pretty thumbnail 
generation for it. I hope a future version of DRAW will allow better 
downscaling.

Does anyone have any ideas about how to approach a web-based gui 
that allows users to upload multiple files at one time without having 
a series of  "inputs?" I'd like to have users do a ctrl select when 
they are browsing for multiple files to send. Thanks.

I mean, does it simply send it to a cgi program or does it save the 
files sent as well?

I checked it out and it basically has a button to add more inputs 
to the page. There was a snippet available on the web that does this. 
That definitely is a possiblity.

Yes, that may be a concern as well. I'm running on a virtual server 
so I could change those parameters. Maybe I should investigate some 
type of Rebol client app. instead. Basically, what I'm after is a 
what for my students to send in their homework files that is better 
and smarter than this dropbox solution that they have now. It doesn't 
give them feedback of a successful upload and I end up with files 
upon files of slightly uncategorized uploads.

I'm using FormMail.pl to handle some simple contact details collection, 
but seems it is not highly regarded in the Perl community due to 
it's vulnerability to SPAM and bots. nms seems to offer a more secure 
version, http://nms-cgi.sourceforge.net/faq_nms.html, but I haven't 
done anything with Perl for years now. Anyone have a suggestion for 
a good FormMail.pl replacement, are are rumors of it's death greatly 
exaggerated?

afaik, the latest formmail.pl is "secure enough" (esp. if you configure 
it properly). it's not the best system out there, and being very 
popular it is also a popular target, but if you don't have time to 
replace it but can keep it up to date you should be fine.

Does anyone have a nice "easy to use" sessions code like php so I 
can "secure" pages like the rebol blogger editing?

james, I am sure this has been discussed before and pekr and/or sunanada 
gave such an example... try doing a search or reading about it here 
in earlier conversations...

Yes - before I jast had in root directory a catalog with permissions 
and all worked.

Rebol.org had a similar problem when the ISP moved from Linux to 
BSD - they fixed it by running a linux compatibiity utility. Sunanda 
knows the details.

There is a FreeBSD version of Rebol Core but I'm not sure which version 
of FreeBSD..

Given the small download and simple installation, it may be worth 
a try.

Al I know is that the IS neglected to start the "Linux compatability 
module" on a reboot -- and so EBOL.org 500ed for most of a day until 
we got t sorted.

I've sent Alek the full emails from the ISP documenting the problem, 
but they don't realy say very much more.

99% of the times a symlink solves the missing lib problem.

it don't know freebsd well enough to give you a good answer. however, 
usually, if libm.so.2 is missing but they have libm.so.x (eg libm.so.3 
or libm.so.4) then it is enough to have a ln -s libm.so.x libm.so.2 
to make rebol work. same for any other missing libraries. this does 
not work always but works in most cases.

otherwise, you need to ask Carl (repeatedly ;) for a new freebsd 
build for you.

Ok, I have a question regarding blog.r .  I set it up on a server 
to play with it for a few minutes.  After a couple kinks, I got it 
working with a few tests.   I went to delete the test blogs but found 
they were created under the www-data user and group (this is on a 
linux server) and I do not have writes to delete or modify these 
files.   In the future, is there a way to have the files created 
under a different user / group?

And my second question, is this blogger.r the most fully featured 
version of the orginal blog.r ?   I've been out of the loop for a 
while.

Can you set the owner-id / group-id with set-mode?   Is there a good 
resource on set-modes other than the function dictionary?  I've been 
searching but haven't come up with anything...

you can't change the owner of a file, unless you are root

You shouldn't need to open a file port to set-modes, just set-modes 
%file.r [... modes ...]

Also, I don't know if this is so with every setup, but when you create 
a file with a CGI script, the process owner, not the script owner, 
is the owner of the file, so you'd need to be able to do owner-read/owner-write. 
 I usually set owner/group/world-read/write to true and execute to 
false.

is it possible to extract/change a cookie from the site a plugin 
is working in?


  I have embedded an app within an IIS served web site.  I must make 
  the reblet interact with the site's cookie, so it follows the rest 
  of the site's status when relaunched (browsing to/from the app from 
  other pages restarts the rebol app).

Hi,  question for the webheads.


   In short.  Can a form call a cgi action that processes data but doesn't 
   output any Content-type

(or anything for that matter) without the browser status coming up 
with "waiting for reply".


   I've got a client that wants a form for requesting more info, but 
   they want to leave the user on

the same screen, so I thought I could have a %process.cgi that takes 
the data and plays with it

and then have an intrinsic  onsubmit=alert(...)  to inform the user 
that the request has been submitted.

The %process.cgi doesn't 
print "Content-type ..."


it doesn't print anything, as I was hoping to leave the same browser 
screen up.

Am I living in lalaland?


Should the %process.cgi just redirect back to the original page with?


print "location: /original.html^/content-type: text/html^/"  or is 
that deprecated now?  It works under my test heads, Cheyenne and 
nonIE browser, but is there a bigger better way?  Or do I tell the 
client that the browser needs a new page and I can add a back link 
(not preferred).

Thanks for listening

You could try sending back a 204 response.
Means "no content" in the response.
No idea what a webserver would do with that.
A 205 might work too.

why should not the user leave the form? should a user be able to 
send it multiple times?

I'm popping up an Alert...

This is a client request, I'm looking at options.  Thanks for the 
hints.

The form comes with a note about Javascript...so far anyway.  I'm 
showing off the

print "location: " umm, redirect, to them right now as we speak.

Hello, I need to send multipart/form-data to a server for uploading 
a file from the console. I've been googling and searching the script 
archive, to no avail. Can anyone help?

jailable: taking free software, change a bit, close it. BSD.

paid: yes. goto DcKimbel, say "your Uniserv is wooonderfull!! How 
many bucks". I am sure you can make a deal and jail - uhm, close 
your project as much as you want.

BSD guys may think "ah, but you are a coder! much more like us. about 
the users, well.." ;)

yeah, well, I'm a hobbyist.  I write a lot of code that I don't mind 
people using however they like so long as they don

that's a deal breaker for me and I bounce the gpl stuff.

not "free" enough in a hobbyist sense.

Well, you said "To understand how to use a moderately complex system 
like a full-featured web server, it is going to be important to capture 
the thinking of those who wrote the code.". and then you want to 
force your users not to look at it?

ScottH - choosing one of two ways. either passing the freedom by 
giving your changes away, or to pay the GPL-part coder with some 
of the money you get. As you would do if you hired a coder to do 
that part.

Or make a clear cut about which part you want freedom. as with classpath, 
or linux-kernel where you can run closed stuff on.

The BSD-free, you are right, is old. at that time the GPL was standard, 
just not written. if you asked someone how something worked, you 
got answer, examples, etc. was a closed group, such programmers, 
no need to think big about licensing.

it was really just a passing thought

AFAIK the community is a bit more BSD, but Carl not, and GPL means 
he will not use it. Thats a heavy argument.

Yes. Also, rebol shows a lot of its source, even if officially closed. 
thats a lot of the "good old informal way" before GPL was needed. 
:)

and from what I've read, the only thing that really weighs on him 
is a bunch of soap opera caliber licensing discussions, which I can 
now say that I participated in. . .oh well.  guess I'll have to label 
that button hot, I generally avoid that discussion.

(i guess licensing could be a very good base for a soap opera, thought 
:)

basicly Free means the author is free to choose the licence of his 
creation ... You can't contest the right of an author to protect 
his creation ... Offerring the  use and sharing the code is yet a 
great thing .. And with GPL you can work on the creation  as you 
want until you respect the licence terms and do not want to appropriate 
a creation that doesn't belongs to you ;)

if we take MacOS X example we all know what is the gain for Apple 
but it is more blur to see what is the befefit that OpenBSD project 
writers retrieves of this experience. A part a spot light put uppon 
there project. But every a little serrious coder was yet knowing 
that freeBSD and OpenBSD were rock stable OS