Mailing List Archive: 49091 messages
  • Home
  • Script library
  • AltME Archive
  • Mailing list
  • Articles Index
  • Site search
 

[REBOL] Re: cgi path

From: volker::nitsch::gmail::com at: 8-Aug-2005 7:05

On 8/7/05, Kai Peters <[kpeters--vu-ware--com]> wrote:
> Thanks Sunanda - that was actually the first thing I tried and it didn't > work initially. Must have screwed up the upload!?! > Didn't know about clean-path which comes in handy - lots to learn! > > Using the script below, it now finds and displays the files. But all > relative links from the files displayed via the Rebol script (to images > & css scripts) are broken. > Such as: <img src="images/header.png" alt="ZooBase Logo" width="750 > height90" border="0"> and "href="zbstyles.css" > > I have tried playing with change-dir in the script and changing the > links in my html files to something like: "../httpdocs/images/header.png > - all to no avail! > > What do I need to do to make this work? >
If i had path-problems, i would dump directories from the cgi. Showing me %../, %../ etc from the "perspective" of the rebol-script. And then try to find the same by ftp. if they match, i have a base-path. for security, there are two ways. A basic one is using secure, like secure[file quit %../../httpdocs/ [allow read] %../user-contrib/ [allow]] you can check that with probe secure query If the script tries to go out of that sandbox, it auto-quits. But you want the script to read, say passwords, so have to allow that by secure, but not by malicious user-input. First step: clean-path !> clean-path %webconsole/../.. == %/home/ No more tricky %.. inside Next one, checking for basedir: !>find/match clean-path %webconsole/myfile clean-path %webconsole/ == %myfile !>find/match clean-path %webconsole/../../volker clean-path %webconsole/ == none find/match checks for abbreviations. So data-dir: clean-path %somewhere/ file: clean-path user-input if find/match file data-dir[ "its ok to read" ] find
> Thanks again, > Kai > > #!/home/httpd/vhosts/<my domain>/cgi-bin/rebol -cs > REBOL [] > cgiparams: system/options/cgi/query-string > print "Content-type: text/html^/" > destpage: first parse/all cgiparams "&" > destpage: second parse/all destpage "=" > ;**************************************************** > ; does the replace make it safe enough? > ;**************************************************** > filename: rejoin [ %../httpdocs/ replace/all destpage "/" "@" ".html" ] > either exists? filename [ > html: read/lines filename > print html > ][ > print ["couldn't find " filename clean-path filename] > ] > > -- > To unsubscribe from the list, just send an email to > lists at rebol.com with unsubscribe as the subject. >
-- -Volker Any problem in computer science can be solved with another layer of indirection. But that usually will create another problem. David Wheeler