Re: Can CGI script un-virtualize a relative path?

From: Gunnar Hjalmarsson (noreply_at_gunnar.cc)
Date: 07/13/04 

Date: Tue, 13 Jul 2004 21:11:34 +0200

John Seal wrote:
> If I use CGI:
>
> <!--#include
> virtual="/cgi-bin/demo.tcl?src=code/lesson%201/smiley.tcl" -->
>
> then I can think of no way for the script to map the src tail to an
> actual physical file. The only path-related environment variables
> are:

<environment variables snipped>

> where all the paths mentioning the .shtml file are virtual, and all
> the physical paths are to the CGI script rather than the web page.
> I can make the CGI work by calling like this:
>
> <!--#include
> virtual="/cgi-bin/demo.tcl?src=~john/Sites/code/lesson%201/smiley.tcl"
> -->
>
> but that's not portable; in particular, the Sites directory is not
> mentioned anywhere in the environment. The actual physical
> location of the web page is /Users/john/Sites/ssi-test.shtml, and
> the included file is located at
> /Users/john/Sites/code/lesson%201/smiley.tcl. I'm sure the Apache
> config somehow maps /~john/ to my personal Sites directory, but I
> essentially need to un-virtualize that and get a physical path.
>
> Unless files processed by CGI are supposed to be located relative
> to the CGI rather than the web page (which doesn't make sense to
> me), then surely there must be some way for a CGI script to
> un-virtualize a path relative to the web page. Is there? What is
> the *right* solution to this problem?

I don't know if there is any "right" solution, or if there is a way
for a CGI script to "un-virtualize" the URI info. If there is, I
suppose there are security issues involved that need to be addressed.

If I understand it correctly, you have multiple users with personal
web sites, while cgi-bin is a server wide alias. In HTML documents
located in respective home directory, the users include a script
(demo.tcl) located in the server wide cgi-bin, and you would like that
script being able to read (or execute?) files located in respective
home directory.

One thought is that you hard code some configuration info in demo.tcl
that makes it possible to locate respective home directory out from
the request URI. 

-- 
Gunnar Hjalmarsson
Email: http://www.gunnar.cc/cgi-bin/contact.pl
-- 
PLEASE NOTE: comp.infosystems.www.authoring.cgi is a
SELF-MODERATED newsgroup. aa.net and boutell.com are
NOT the originators of the articles and are NOT responsible
for their content.
HOW TO POST to comp.infosystems.www.authoring.cgi:
http://www.thinkspot.net/ciwac/howtopost.html

Relevant Pages

  • Re: Key-passing from PHP to TCL CGI script - how is it done (web security issue)?
    ... TCL v.8.3 ... set hasEnteredTrivia 0 ... # NEW 8/7/2004 USE PHP (AS CGI) TO CHECK IF USER IS ATTEMPTING TO ENTER ... # USE REMOTE PHP SCRIPT TO CHECK FOR REPOSTING ...
    (comp.lang.tcl)
  • Re: Changing Passwords through the web (fwd)
    ... I use a CGI script that uses the poppassd and python ports on my small ... alert; ...
    (FreeBSD-Security)
  • Re: Help with a stragegy for diagnosis
    ... I have a Perl CGI that has work for years. ... first failure and before the second. ... A strategy would be to write tests for the script until you get the same ...
    (comp.lang.perl.moderated)
  • Re: Recommend PHP-Based Dashboard?
    ... and this is to illicite a response from php developers in a php usenet group trying to foster some kind of fear in us all that you may change your mind and go java or windows or mac? ... as i run true cgi scripts from the cgi exe *all the time* from the command-line, i assure you that you're wrong. ... the above explicitly states that i must use a feature of cgi in order to be considered a cgi script. ...
    (comp.lang.php)
  • Re: cannot open and write file
    ... your script does not seem to be a CGI script. ... To see if you have set up your web server correctly. ... whole wide world write access to root's home directory. ...
    (comp.lang.perl.misc)