1
votes

I've written a cgi script that processes data that is generated by another program. The problem is that this file is located outside the cgi-bin. How can I make sure that my perl scripts can read this file? I've already tried changing the permissions of this file and I also tried to make a link in the cgi-bin folder but Apache is too smart for that. I guess possible solutions are:

  • Edit the Apache config file in a way that Apache can read files outside the cgi-bin.
  • Run the cgi script with a 'portable' webserver. Like you can do with python (python -m http.server [port]). Unfortunately this does not execute the perl cgi scripts.

I'm kind of stuck how to do either one of the solutions.

2
Apache should be able to read files outside the cgi bin. Have you checked out your Apache config and the relevant Apache documentation? Also, check out PSGI Plack (plackperl.org) for a modern way to run perl web apps. - i alarmed alien
Thanks for your answer. I'm gonna look into the Apache config tomorrow. I see that plackperl contains a lot of "Servers". Can you give me any pointers where I should start? That would be great! - TheChosenOne
There's nothing to configure in Apache, because Apache has no control over what you do in the CGI script. You can open any file on the system you have access to. ("You" being the user as which your CGI script is run.) Don't forget, you don't just need access to the file itself, but to the directories in which the file resides. - ikegami
This isn't true unfortunately. I can't even change files in the /tmp folder, while I can change files in the /cgi-bin/ folder. - TheChosenOne
Edit: I was able to make the application write in the cgi-bin folder (but 777 isn't really a solution i guess). - TheChosenOne

2 Answers

2
votes

Your CGI-script could access anything on your OS unless you run the apache under a sort of jail, in this case the your can read anything in the jail. (Of course, if the apache process has permissions to read the file).

e.g the next simple script will print out your password file

use strict;
use warnings;
use CGI;

my $q=CGI->new();
print $q->header();
print qx(cat /etc/passwd);

About the modern perl web-app development, read the following:

Get some modern web-framerowk from CPAN - here are many (maybe too many) - the most known are:

I personally mostly using

EDIT

In your cgi-bin should exists a script called printenv.pl. Try:

chmod 755 printenv.pl

and point your browser to http://address/cgi-bin/printenv.pl You will get, the apache environment. See, you must know the basics of operating system commands and how the web works to succesfully run an web-application. It is impossible to write down everything in one answer, you need to use google, read answers to other questions here and such.

Also, in the above script, you can change the cat /etc/passwd to any other shell command for testing only what your cgi-script can or can not.

0
votes

I've solved this problem by using plackup in combination of PSGI.

use CGI::Emulate::PSGI;
use CGI::Compile;

my $sub = CGI::Compile->compile("location/to/script.cgi");
my $app = CGI::Emulate::PSGI->handler($sub);

If you run plackup file.psgi, it sets up a local webserver that runs as the current user. Problem solved.