[Date Prev][Date Next][Thread Prev][Thread Next] [Search] [Date Index] [Thread Index]

Re: [MacPerl-WebCGI] HTTP_REFERER and executable questions



>I've written a cgi script that returns the web URL last visited. However, 
>it only works when the last page visited is my own web page, not when 
>I've visited Apple's page last (and call the cgi directly). Could it be a 
>limitation that providers impose?

Yes and no. Consider: Do you yourself want some webmaster to be able to 
see that you were just visiting his/her competitor's site?

Environment variables are rather optional and only partially reliable. 
It's not hard to hide them or alter their contents for good purposes or 
ill, either from the server side or the client side.

>I've a bit difficulty understanding the usefulness of HTTP_REFERER when I 
>can see it contents only if someone lands at my site via a cgi script. 
>So, I would see no posibility to see how people ended up at my website. 

You have the crux of the issue here. Environment variables should 
generally be considered ornamentation, unless you want to use them to 
casually track a visitor's path through your site, in which case you 
should still consider them decorative. Don't reveal sensitive information 
based on these variables, and don't charge people money based on them, 
either.

Cookies appear to be more reliable, but you still should not base any 
security solely on the contents of a cookie. Cookies can also be rigged.

>When I've made a file executable, I can drag a replacement (with the same 
>name) in the cgi-bin folder and I don't have to make it executable again. 
>Is that the general behaviour, i.e. does the server keep a list of names 
>of executable files?

Are we talking about a Mac server or some other server? 

In the UNIX world, servers tend to base executability on three 
indicators: file permissions, file name extensions, and 
folders/directories. The server is usually told to make executables 
accessible only in the cgi directory, which is often set to be cgi-local 
or cgi-bin. You can still require specific extensions (.cgi, .pl, etc.) 
within this directory. (On the other hand, html in the cgi directory is 
often not accessible.) Then you must set the file permissions on each cgi 
program file to allow execution by users making requests to the web 
server, meaning your usual visitor-from-who-knows-where.

Thinking about this, some systems set permissions according to the 
overwritten file when overwriting files, which would give the result you 
mention above without actually requiring the system to track anything.

Servers on the Mac might exhibit similar behaviour for similar reasons.

HTH

rees_joel@fujicomp.co.jp
http://www.fujicomp.co.jp
http://www.udit.gr.jp


==== Want to unsubscribe from this list?
==== Send mail with body "unsubscribe" to macperl-webcgi-request@macperl.org