heyman has asked for the wisdom of the Perl Monks concerning the following question:

I have a quick ; dumb question for anyone that knows.

If I have a cgi perl file say at http://mysite.com/paul.cgi

Is there a way for someone to get the actual code written in this CGI file? I know users can see the source in HTML & Javascript but what about CGI?

I wanted to know for my security precautions.

ADAM

  • Comment on quick question about security and viewing CGI source code

Replies are listed 'Best First'.
Re: quick question about security and viewing CGI source code
by dws (Chancellor) on Apr 19, 2001 at 05:55 UTC
    Is there a way for someone to get the actual code written in this CGI file?

    Assuming that someone doesn't exploit some security hole in the web server*, they'll only see whatever the CGI produces. Ideally, this is valid HTML. :)

    * There are lots of ways this can happen. Make sure your web server platform is up-to-date on security fixes. If you're running IIS, take extra care to be up-to-date.

[reply]
Re: quick question about security and viewing CGI source code
by repson (Chaplain) on Apr 19, 2001 at 08:22 UTC
    Apart from what has been mentioned, you should be careful that your cgi's own security doesn't let people see its source. Start with 
    #!/usr/bin/perl -wT
use strict;

    [download]
    Then read up widely starting somewhere like the cgi/security links in Outside Links.
[reply]
[d/l]
Re: quick question about security and viewing CGI source code
by Xxaxx (Monk) on Apr 19, 2001 at 05:37 UTC
    This is a security issue which does effect us as Perl coders but really doesn't belong in a Perl coding forum.

    The proper first place to start is with your ISP or web hosting service. You really need to find out what specific security they have setup on their machine.

    Many servers are configured so that anything in a directory called cgi-bin is not served as text or html to the world. There are also situation in which you can simply use the permissions on your files to prevent viewing.

    But, these settings depend upon the actual situation you find yourself in. Start with your webhosting service for your specific situation. If you want information about this issue in general look in server setup forums. That will get you started in the study of the various options.

    Claude

[reply]
Re: quick question about security and viewing CGI source code
by rchiav (Deacon) on Apr 19, 2001 at 20:07 UTC
    Just to test it, you could create a link to your script on some page. Then do whatever you do to "save as" (different browsers/OS's have different methods for this). If you get the script, there's a problem. If you get the output, then you know that the server is processing the script before it will serve it.

    This isn't to say that there isn't some exploit that someone will find to gain access to your script, but you can assure yourself that it's not wide open to the public.

    Rich

[reply]

Back to Seekers of Perl Wisdom