More CGI Comments --- scripts, suffixes and such...
rst@ai.mit.edu (Robert S. Thau)
From: rst@ai.mit.edu (Robert S. Thau)
Date: Sat, 8 Jan 94 17:03:19 EST
Message-id: <9401082203.AA08999@volterra>
To: rhb@hotsand.att.com
Cc: www-talk@www0.cern.ch
In-reply-to: rhb@hotsand.att.com's message of Sat, 8 Jan 94 14:04:24 EST <9401081904.AA23102@hotsand.dacsand>
Subject: More CGI Comments --- scripts, suffixes and such...
Content-Length: 2731
From: rhb@hotsand.att.com
... [reformatted to fit on 80-character windows]
3) Because of (1), (2) and my general preferences of arranging files, I
find it would be much easier to identify executables on the server side
by being able to use a server defined suffix (notwithstanding the
previous arguments against this) for these files (e.g., .cgi).
...
Rich Brandwein
AT&T Bell Labs
rich.brandwein@att.com
A note of agreement --- I implemented a suffix-based scheme myself a while
ago for some of the same reasons, and I've been running with it for a few
weeks now. If you feel comfortable playing with unsupported software, you
could take a look at my hacks, which I've made available as a source patch
to NCSA httpd 1.0. See
http://www.ai.mit.edu/xperimental/run-scripts.html
for documentation and a pointer to the patch.
Briefly, the patch adds a new option, 'RunScripts' to the Allow directive
of access.conf and .htaccess files; this option designates a directory as
containing both files and scripts. Scripts in these directories are
identified by a suffix (either '.doit' or '.nph', the latter having the
same effect as the 'nph-' prefix).
These suffixes are added to the incoming URL by the server during the
search for a script, and are therefore *not* present in the URLs which
invoke the scripts. This means that any file in a 'RunScripts' directory
can be replaced with a script without changing documents which have links
to it. This is a feature, IMATSHO (that is, In My And Tony Sanders' Humble
Opinions :-), although it does get a little awkward when the file being
replaced already had a type-suffix.
The main problem with any such scheme is security. For all sorts of
reasons, it's a bad idea to let The Outside World (including potential
attackers) read the code of your scripts. In order to prevent this, at
least around here, it's *not* enough to prevent the server from tossing
files which appear to be scripts over the wall --- script code appears in
emacs backup and auto-save files as well, and so, to be thorough, I wound
up preventing the export of those. The trouble is that it's hard to tell
when to stop --- scripts may eventually get patched, for instance; do we
ban retrieval of '*.orig'?
What might be safer is to have each directory contain either scripts or
files, but not both --- files could not be retrieved at all from a scripts
directory. This would also get rid of the suffixes, which some people find
objectionable (even though most Web servers already use dot-suffixes to
determine a file's MIME type). However, this does represent a real loss in
flexibility for the server maintainer as compared to the suffix hack.
Any comments?
rst