Mailing list home
  Find posts   Help

Latest messageRecent messages

In this thread:
 First
 Prev
 Next
 See whole thread
By msg id:
 Prev: 7 Aug 2005 14:50
 Next: 8 Aug 2005 5:27

Other threads:
 Prev: Who owns the fish?
 Next: There is CATCH in Rebol

Same author:
 Prev: 2 Aug 2005 22:41
 Next: 10 Aug 2005 17:08

 Random message

Indexes:
 By topic
 By date
 By author
 By subject
Join the Mailing List....
AccessibilityAbout / FAQ
Member's loungeContact/FeedbackOther REBOL links
Membership:
member name

password

Remember?

Not a member? Please join
10-May 1:03 UTC
[0.059] 10.877k
Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Re: cgi path

From: volker::nitsch::gmail::com at: 8-Aug-2005 7:05


On 8/7/05, Kai Peters <[kpeters--vu-ware--com]> wrote:

> Thanks Sunanda - that was actually the first thing I tried and it didn't
> work initially. Must have screwed up the upload!?!
> Didn't know about clean-path which comes in handy - lots to learn!
>
> Using the script below, it now finds and displays the files. But all
> relative links from the files displayed via the Rebol script  (to images
> & css scripts) are broken.
> Such as: <img src="images/header.png" alt="ZooBase Logo" width="750
> height90" border="0"> and "href="zbstyles.css"
>
> I have tried playing with change-dir in the script and changing the
> links in my html files to something like: "../httpdocs/images/header.png
> - all to no avail!
>
> What do I need to do to make this work?
>


If i had path-problems, i would dump directories from the cgi.
Showing me %../, %../ etc from the "perspective" of the rebol-script.
And then try to find the same by ftp. if they match, i have a base-path.

for security, there are two ways.
A basic one is using secure, like
  secure[file quit %../../httpdocs/ [allow read] %../user-contrib/ [allow]]
you can check that with
  probe secure query
If the script tries to go out of that sandbox, it auto-quits.

But you want the script to read, say passwords,
so have to allow that by secure, but not by malicious user-input.
First step: clean-path
!> clean-path %webconsole/../..
== %/home/
No more tricky %.. inside
Next one, checking for basedir:
!>find/match clean-path %webconsole/myfile clean-path %webconsole/
== %myfile
!>find/match clean-path %webconsole/../../volker clean-path %webconsole/
== none
find/match checks for abbreviations.
So
  data-dir: clean-path %somewhere/
  file: clean-path user-input
  if find/match file data-dir[ "its ok to read" ]

  find

> Thanks again,
> Kai
>
> #!/home/httpd/vhosts/<my domain>/cgi-bin/rebol -cs
> REBOL []
> cgiparams:  system/options/cgi/query-string
> print "Content-type: text/html^/"
> destpage:  first  parse/all cgiparams "&"
> destpage:  second parse/all destpage  "="
> ;****************************************************
> ;  does the replace make it safe enough?
> ;****************************************************
> filename:  rejoin [ %../httpdocs/ replace/all destpage "/" "@" ".html" ]
> either exists? filename [
>    html: read/lines filename
>    print html
> ][
>    print ["couldn't find " filename clean-path filename]
> ]
>
> --
> To unsubscribe from the list, just send an email to
> lists at rebol.com with unsubscribe as the subject.
>


--
-Volker

Any problem in computer science can be solved with another layer of
indirection. But that usually will create another problem.
 David
Wheeler

1 · 2 · 3 · 4 · [5] · 6 · 7 · 8 · See whole thread