http://www.perlmonks.org?node_id=448914

Andre_br has asked for the wisdom of the Perl Monks concerning the following question:

Hello my friends,

Has any of you info about whether putting perl scripts in /cgi-bin is safe or not? I couldnīt find that over the web.

Also, Iīd like your advice on those hidding-script-names technique - the guys from my host donīt know it either - like the one payPal uses:

https://www.paypal.com/cgi-bin/webscr?cmd=xpt/bizui/IntegrationDirect- +outside
Wich script is this? Webscr.cgi?

Thanks a lot

André

Replies are listed 'Best First'.
Re: Is /cgi-bin safe?
by dragonchild (Archbishop) on Apr 18, 2005 at 15:21 UTC
    Safer as opposed to what? The webserver has to be able to find your code in order to execute it. If you want people you don't trust to do something on your machine, you will probably want to validate and sanitize the requests they give you. There are hundreds of good articles on hardening Apache servers, MySQL databases, Oracle databases, etc etc etc.

    re: "hidding-script-names technique": That's URL rewriting. Apache does this very easily with many modules - mod_rewrite being one of them. CGI::Application has CGI::Application::Dispatch which does something very similar. There is probably no real file with the name webscr or webscr.cgi or webscr.pl or whatever.

Re: Is /cgi-bin safe?
by gellyfish (Monsignor) on Apr 18, 2005 at 15:19 UTC

    As long as your web server is configured securely yes it is perfectly safe - it's generally what you put in the programs in there that causes the insecurities.

    /J\

Re: Is /cgi-bin safe?
by PodMaster (Abbot) on Apr 18, 2005 at 15:24 UTC
    Has any of you info about whether putting perl scripts in /cgi-bin is safe or not? I couldnīt find that over the web.
    Safe how?
    Wich script is this? Webscr.cgi?
    Try visiting webscr.cgi to see what happens. You're assuming it's a script, only the administrator would know for sure.

    MJD says "you can't just make shit up and expect the computer to know what you mean, retardo!"
    I run a Win32 PPM repository for perl 5.6.x and 5.8.x -- I take requests (README).
    ** The third rule of perl club is a statement of fact: pod is sexy.

Re: Is /cgi-bin safe?
by brian_d_foy (Abbot) on Apr 18, 2005 at 17:59 UTC

    A URL does not have to map to a particular file name, so guessing what PayPal might have named its script (or handler, or whatever does the work) is pointless.

    Note, however, that you usually don't have to name your script with an extension if it is in a CGI directory since the web server assumes that anything there is a script. The extension is useful when you allow scripts in any part of the browseable file system.

    --
    brian d foy <brian@stonehenge.com>
      Hey folks,

      In fact, I meant 'safe' location to put the scripts. Sure, Iīm pretty aware of the other safety issues. Thanks a lot for the replies.

      André

Re: Is /cgi-bin safe?
by ambs (Pilgrim) on Apr 18, 2005 at 15:23 UTC
    It depends a lot on what you write into the script.

    Alberto Simões