path question
[1/8] from: kpeters:vu-ware at: 7-Aug-2005 13:05
Hi= ~ Linux/Rebol 2.5.6.4.2 I want to check the existence of a filefrom a cgi script
and my code works well if I use an absolute= path. I do
have problems using a relative path= though: My script resides off the
document root in= cgi-bin and the file I want to check for in httpdocs, also
off the document= root. filename:  rejoin [ %<what goes= here?>
 destpage ".html" ] either exists? filename [    print
have= it
][    print= "???" ] I believe I have exhausted
all possible= variations I can think of. Can someone shed some light?
Thanks,
Kai  
[2/8] from: kpeters:vu-ware at: 7-Aug-2005 14:02
Hi ~ Linux/Rebol 2.5.6.4.2 I want to check the existence of a file from
a cgi script and my code works well if I use an absolute path. I do have
problems using a relative path though: My script resides off the document
root in cgi-bin and the file I want to check for in httpdocs, also off the
document root. filename: rejoin [ %<what goes here?> destpage ".html" ]
either exists? filename [ print "have it" ][ print "???" ] I
believeI have exhausted all possible variations I can think of. Can someone
shed some light? Thanks, Kai
[3/8] from: SunandaDH::aol::com at: 7-Aug-2005 17:06
Kai:
> Can someone shed some light?
Your email was a little difficult to decode as it was afflicted with numbered
codes. I hope I've read it right.
If your folder structure is:
root
|--cgi-bin
|--httpdocs
Then this should work:
filename: rejoin [ %../httpdocs/ destpage ".html" ]
either exists? filename [
print "have it" ][
print ["couldn't find " file-name clean-path file-name]
]
If it doesn't, the clean-path part should help you see exactly where it is
looking.
A possible problem is that you are looking outside the sandbox.....Have you
got -cs in the shebang line? eg:
#! ........./rebol/rebol.exe -cs
Possibly irrelevant, but if destpage is a value supplied by a user, then do
make sure it is safe. A hacker could attempt to get you to display a file you
weren't expecting by typing something like
http://wwwyoursite.com?your-cgi.r?page=../../../../../etc/bin/passwords
Sunanda.
[4/8] from: kpeters::vu-ware::com at: 7-Aug-2005 14:50
cgi path
Thanks Sunanda - that was actually the first thing I tried and it didn't
work initially. Must have screwed up the upload!?!
Didn't know about clean-path which comes in handy - lots to learn!
Using the script below, it now finds and displays the files. But all
relative links from the files displayed via the Rebol script (to images
& css scripts) are broken.
Such as: <img src="images/header.png" alt="ZooBase Logo" width="750"
height="90" border="0"> and "href="zbstyles.css"
I have tried playing with change-dir in the script and changing the
links in my html files to something like: "../httpdocs/images/header.png
- all to no avail!
What do I need to do to make this work?
Thanks again,
Kai
#!/home/httpd/vhosts/<my domain>/cgi-bin/rebol -cs
REBOL []
cgiparams: system/options/cgi/query-string
print "Content-type: text/html^/"
destpage: first parse/all cgiparams "&"
destpage: second parse/all destpage "="
;****************************************************
; does the replace make it safe enough?
;****************************************************
filename: rejoin [ %../httpdocs/ replace/all destpage "/" "@" ".html" ]
either exists? filename [
html: read/lines filename
print html
][
print ["couldn't find " filename clean-path filename]
]
[5/8] from: volker::nitsch::gmail::com at: 8-Aug-2005 7:05
On 8/7/05, Kai Peters <[kpeters--vu-ware--com]> wrote:
> Thanks Sunanda - that was actually the first thing I tried and it didn't
> work initially. Must have screwed up the upload!?!
<<quoted lines omitted: 8>>
> - all to no avail!
> What do I need to do to make this work?
If i had path-problems, i would dump directories from the cgi.
Showing me %../, %../ etc from the "perspective" of the rebol-script.
And then try to find the same by ftp. if they match, i have a base-path.
for security, there are two ways.
A basic one is using secure, like
secure[file quit %../../httpdocs/ [allow read] %../user-contrib/ [allow]]
you can check that with
probe secure query
If the script tries to go out of that sandbox, it auto-quits.
But you want the script to read, say passwords,
so have to allow that by secure, but not by malicious user-input.
First step: clean-path
!> clean-path %webconsole/../..
== %/home/
No more tricky %.. inside
Next one, checking for basedir:
!>find/match clean-path %webconsole/myfile clean-path %webconsole/
== %myfile
!>find/match clean-path %webconsole/../../volker clean-path %webconsole/
== none
find/match checks for abbreviations.
So
data-dir: clean-path %somewhere/
file: clean-path user-input
if find/match file data-dir[ "its ok to read" ]
find
> Thanks again,
> Kai
<<quoted lines omitted: 17>>
> To unsubscribe from the list, just send an email to
> lists at rebol.com with unsubscribe as the subject.
--
-Volker
Any problem in computer science can be solved with another layer of
indirection. But that usually will create another problem.
David
Wheeler
[6/8] from: SunandaDH::aol::com at: 8-Aug-2005 5:27
Kai:
> Using the script below, it now finds and displays the files.
> But all relative links from the files displayed via the Rebol script
> (to images & css scripts) are broken.
Personally, I'd always use absolute links in a web page. That has several
advantages, including protection against "302 hijacking".
src="images/header.png"
should work, and find the file
http://www.yoursite.com/images/header.png
So, the question is, "where is your server looking for the images file?"
I would guess it is supposed to be a subfolder of httpdocs/. But there may be
a configuration option that says otherwise.
What happens if you type
http://www.yoursite.com/images/header.png
directly into a browser window?
Sunanda.
[7/8] from: yaozhang::ebay::com at: 8-Aug-2005 21:30
What about /images/header.png ?
-
Z. Yao
[8/8] from: kpeters::vu-ware::com at: 9-Aug-2005 15:05
On Mon, 8 Aug 2005 21:30:31 -0600, Zhang, Yao wrote:
> What about /images/header.png ?
>
> -
> Z. Yao
That works just great - thanks!
Kai
Notes
- Quoted lines have been omitted from some messages.
View the message alone to see the lines that have been omitted