toniax has asked for the wisdom of the Perl Monks concerning the following question:

Hello,
Does anyone know if
print "Content-type:text/html\n\n";
can be bypassed somehow so one may download the
script instead of run it?
I am paranoid about someone doing this and want to secure my script.
-X-

Replies are listed 'Best First'.
Re: secure cgi
by ww (Archbishop) on Dec 02, 2010 at 04:07 UTC
    That would depend on your server's config; your script's location; the security of whatever admin capability is public-facing; and the phase of the moon... or the first three digits of tomorrow's winning lottery number.

    The first three are serious; the latter two are just to suggest (if the first three failed to make the point) that your question is so broad; so without definition; that a serious answer is nearly impossible.

    And when you've provided enough specificity to make a real answer possible, you might want to ask yourself if what's in or done by your script that justifies your paranoia. The answers to that may suggest ways to avoid/work-around whatever issues exist.

[reply]
Re: secure cgi
by Anonymous Monk on Dec 02, 2010 at 09:02 UTC
    The only way that can happen is if you misconfigure your webserver to serve your cgi programs as plain text

    or create a soft/hard link to your cgi-bin and expose it to the internet, so it gets served as plain text 

    cd public_html
ln -s cgi-bin stealmysourcecode

http://example.com/cgi-bin/foo.cgi
UHOH!! http://example.com/stealmysourcecode/foo.cgi

    [download]

    or if there is a bug in your webserver (apache/iis...)

    or a bug in your foo.cgi, like 

    seek DATA,0,0;
print "Content-type:text/plain\n\n",
  "here is my sourcecode, steal secrets\n",
  <DATA>;

    [download]
[reply]
[d/l]
[select]
A reply falls below the community's threshold of quality. You may see it by logging in.

Back to Seekers of Perl Wisdom