1

I've written a cgi script that processes data that is generated by another program. The problem is that this file is located outside the cgi-bin. How can I make sure that my perl scripts can read this file? I've already tried changing the permissions of this file and I also tried to make a link in the cgi-bin folder but Apache is too smart for that. I guess possible solutions are:

  • Edit the Apache config file in a way that Apache can read files outside the cgi-bin.
  • Run the cgi script with a 'portable' webserver. Like you can do with python (python -m http.server [port]). Unfortunately this does not execute the perl cgi scripts.

I'm kind of stuck how to do either one of the solutions.

brian d foy
  • 129,424
  • 31
  • 207
  • 592
TheChosenOne
  • 705
  • 1
  • 6
  • 14
  • Apache should be able to read files outside the cgi bin. Have you checked out your Apache config and the relevant Apache documentation? Also, check out PSGI Plack (http://plackperl.org/) for a modern way to run perl web apps. – i alarmed alien Sep 07 '14 at 20:23
  • Thanks for your answer. I'm gonna look into the Apache config tomorrow. I see that plackperl contains a lot of "Servers". Can you give me any pointers where I should start? That would be great! – TheChosenOne Sep 07 '14 at 21:45
  • 1
    There's nothing to configure in Apache, because Apache has no control over what you do in the CGI script. You can open any file on the system you have access to. ("You" being the user as which your CGI script is run.) Don't forget, you don't just need access to the file itself, but to the directories in which the file resides. – ikegami Sep 07 '14 at 22:32
  • This isn't true unfortunately. I can't even change files in the /tmp folder, while I can change files in the /cgi-bin/ folder. – TheChosenOne Sep 08 '14 at 07:13
  • Edit: I was able to make the application write in the cgi-bin folder (but 777 isn't really a solution i guess). – TheChosenOne Sep 08 '14 at 07:30
  • @TheChosenOne The plack/psgi advent calendar that jm666 mentions in the answer is an excellent intro. – i alarmed alien Sep 08 '14 at 07:43

2 Answers2

2

Your CGI-script could access anything on your OS unless you run the apache under a sort of jail, in this case the your can read anything in the jail. (Of course, if the apache process has permissions to read the file).

e.g the next simple script will print out your password file

use strict;
use warnings;
use CGI;

my $q=CGI->new();
print $q->header();
print qx(cat /etc/passwd);

About the modern perl web-app development, read the following:

Get some modern web-framerowk from CPAN - here are many (maybe too many) - the most known are:

I personally mostly using

EDIT

In your cgi-bin should exists a script called printenv.pl. Try:

chmod 755 printenv.pl

and point your browser to http://address/cgi-bin/printenv.pl You will get, the apache environment. See, you must know the basics of operating system commands and how the web works to succesfully run an web-application. It is impossible to write down everything in one answer, you need to use google, read answers to other questions here and such.

Also, in the above script, you can change the cat /etc/passwd to any other shell command for testing only what your cgi-script can or can not.

Community
  • 1
  • 1
clt60
  • 62,119
  • 17
  • 107
  • 194
  • I can't access files in the /tmp folder, idem for files in my home folder. I can read files in the cgi-bin/ folder (which apparently need to have http ownage). "Of course, if the apache process has permissions to read the file" Can you point me to some documentation how I can configure this? Thanks. – TheChosenOne Sep 08 '14 at 07:18
  • There are comprehensive docs at the Apache website: http://httpd.apache.org/docs/ -- setting permissions for directories is found at http://httpd.apache.org/docs/2.4/mod/core.html#directory . You can also google 'httpd.conf example' to get plenty of useful samples. – i alarmed alien Sep 09 '14 at 07:12
  • @TheChosenOne You don't need configure the apache for "permissions". Please, read a comment from Ikegami at your question. – clt60 Sep 09 '14 at 07:19
  • 1
    Then why can't I read/write the /tmp folder? It has 777 permissions. Also, a directory which is owned by http is not readable. – TheChosenOne Sep 09 '14 at 07:31
  • @TheChosenOne see the edit of my question. As i said, maybe your apache is running chrooted inside of an jail. I don't know how your apache is installed, nor about your OS... – clt60 Sep 09 '14 at 07:34
0

I've solved this problem by using plackup in combination of PSGI.

use CGI::Emulate::PSGI;
use CGI::Compile;

my $sub = CGI::Compile->compile("location/to/script.cgi");
my $app = CGI::Emulate::PSGI->handler($sub);

If you run plackup file.psgi, it sets up a local webserver that runs as the current user. Problem solved.

TheChosenOne
  • 705
  • 1
  • 6
  • 14