You are viewing a plain text version of this content. The canonical link for it is here.
Posted to dev@httpd.apache.org by Jeff Trawick <tr...@gmail.com> on 2012/12/15 15:00:25 UTC
Re: svn commit: r1421184 - in /httpd/httpd/branches/2.4.x/docs/cgi-examples:
printenv.vbs printenv.wsf
On Thu, Dec 13, 2012 at 5:04 AM, <fu...@apache.org> wrote:
> Author: fuankg
> Date: Thu Dec 13 10:04:51 2012
> New Revision: 1421184
>
> URL: http://svn.apache.org/viewvc?rev=1421184&view=rev
> Log:
> Added Windows CGI samples.
>
> Added:
> httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.vbs (with
> props)
> httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.wsf (with
> props)
>
I don't understand why we ship this.
If some Windows user wants to find out how to write a CGI script in yet
another language they can bing it.
We have had a couple of very basic examples from the dark ages of the web,
and that is MUCH more than enough IMO, particularly since these particular
examples are information leaks as soon as somebody enables them.
>
> Added: httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.vbs
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.vbs?rev=1421184&view=auto
>
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.vbs (added)
> +++ httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.vbs Thu Dec 13
> 10:04:51 2012
> @@ -0,0 +1,29 @@
> +'
> +
> +' To permit this cgi, replace ' on the first line above with the
> +' appropriate shebang, f.e. '!c:/windows/system32/cscript -nologo
> +'
> +' Note that it is subject to cross site scripting attacks on MS IE
> +' and any other browser which fails to honor RFC2616, so never use
> +' it in a live server environment, it is provided only for testing.
> +
> +''
> +'' printenv -- demo CGI program which just prints its environment
> +''
> +Option Explicit
> +
> +Dim objShell, objArray, str, envvar, envval
> +Set objShell = CreateObject("WScript.Shell")
> +Set objArray = CreateObject("System.Collections.ArrayList")
> +
> +WScript.StdOut.WriteLine "Content-type: text/plain; charset=iso-8859-1" &
> vbLF
> +For Each str In objShell.Environment("PROCESS")
> + objArray.Add str
> +Next
> +objArray.Sort()
> +For Each str In objArray
> + envvar = Left(str, InStr(str, "="))
> + envval = Replace(Mid(str, InStr(str, "=") + 1), vbLF, "\n")
> + WScript.StdOut.WriteLine envvar & Chr(34) & envval & Chr(34)
> +Next
> +
>
> Propchange: httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.vbs
>
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
> Added: httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.wsf
> URL:
> http://svn.apache.org/viewvc/httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.wsf?rev=1421184&view=auto
>
> ==============================================================================
> --- httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.wsf (added)
> +++ httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.wsf Thu Dec 13
> 10:04:51 2012
> @@ -0,0 +1,30 @@
> +'
> +
> +' To permit this cgi, replace ' on the first line above with the
> +' appropriate shebang, f.e. '!c:/windows/system32/cscript -nologo
> +'
> +' Note that it is subject to cross site scripting attacks on MS IE
> +' and any other browser which fails to honor RFC2616, so never use
> +' it in a live server environment, it is provided only for testing.
> +
> +''
> +'' printenv -- demo CGI program which just prints its environment
> +''
> +<job>
> +<script language="JScript">
> + WScript.Echo("Content-type: text/plain; charset=iso-8859-1\n");
> + var objShell = new ActiveXObject("WScript.Shell");
> + var objArray = new Array();
> + var e = new Enumerator(objShell.Environment("PROCESS"));
> + for (;!e.atEnd();e.moveNext()) {
> + var i = e.item().indexOf("=");
> + var envvar = e.item().substring(0, i);
> + var envval = e.item().substring(i + 1, e.item().length);
> + envval = envval.replace("\n", "\\n");
> + objArray.push(envvar + "=\"" + envval + "\"");
> + }
> + objArray.sort();
> + WScript.Echo(objArray.join("\n"));
> +</script>
> +</job>
> +
>
> Propchange: httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.wsf
>
> ------------------------------------------------------------------------------
> svn:eol-style = native
>
>
>
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Re: svn commit: r1421184 - in /httpd/httpd/branches/2.4.x/docs/cgi-examples:
printenv.vbs printenv.wsf
Posted by Guenter Knauf <fu...@apache.org>.
Hi Jeff,
Am 17.12.2012 16:00, schrieb Jeff Trawick:
> Here's a compromise. Use 2.4.x/STATUS to see if you get two more votes
> to add the two new CGIs to the 2.4.x install. If two other people
> agree, I'll be quiet. I know these files are under docs, but changing
> code that gets installed should be voted on. (Even a recent tweak to
> printenv went through STATUS.)
yes, and for this reason up to now I didnt yet change Makefile.win ;-)
http://svn.apache.org/viewvc?view=revision&revision=1422982
> I don't think avoiding adding these new features requires removing the
> existing, similar ones, though I'm +1 for removing the existing ones
> from trunk.
I'm -1 for removing any samples cause I believe they are useful for 1st
testing of CGIs; but if we are going to remove them then I would like to
create a cgi-samples folder in svn tree and collect there these samples
and probably some more, and provide them also for download.
> Why can't a tiny example in the documentation show what is needed to
> have a script that httpd can execute? The Windows platform
> documentation has a few comments about CGIs and the CGI tutorial
> documentation has a tiny amount of Windows information. Somewhere in
> there is a reasonable place to document any Windows-specific issues in
> this area.
probably this is a good place; though I'm not that good with docu -
maybe Daniel has the mood to give it a try?
Gün.
Re: svn commit: r1421184 - in /httpd/httpd/branches/2.4.x/docs/cgi-examples:
printenv.vbs printenv.wsf
Posted by Jeff Trawick <tr...@gmail.com>.
On Mon, Dec 17, 2012 at 7:27 AM, Guenter Knauf <fu...@apache.org> wrote:
> Hi Jeff,
> Am 15.12.2012 15:00, schrieb Jeff Trawick:
>
>> On Thu, Dec 13, 2012 at 5:04 AM, <fuankg@apache.org
>> <ma...@apache.org>> wrote:
>>
>> Author: fuankg
>> Date: Thu Dec 13 10:04:51 2012
>> New Revision: 1421184
>>
>> URL: http://svn.apache.org/viewvc?**rev=1421184&view=rev<http://svn.apache.org/viewvc?rev=1421184&view=rev>
>> <http://svn.apache.org/viewvc?**rev=1421184&view=rev<http://svn.apache.org/viewvc?rev=1421184&view=rev>
>> >
>> Log:
>> Added Windows CGI samples.
>>
>> Added:
>> httpd/httpd/branches/2.4.x/**docs/cgi-examples/printenv.vbs
>> (with props)
>> httpd/httpd/branches/2.4.x/**docs/cgi-examples/printenv.wsf
>> (with props)
>>
>>
>> I don't understand why we ship this.
>>
>> If some Windows user wants to find out how to write a CGI script in yet
>> another language they can bing it.
>>
>> We have had a couple of very basic examples from the dark ages of the
>> web, and that is MUCH more than enough IMO, particularly since these
>> particular examples are information leaks as soon as somebody enables
>> them.
>>
> my motivation for these was that the .vbs is like a counterpart to
> test-cgi, and for the .wsf BZ 51359 to show that we dont need another
> shebang test in the code. These samples are in-active same as printenv and
> test-cgi (no active shebang), and if we trust that a Unix admin knows what
> he does when he activates them why dont we trust a Windows admin too?
> If you think those samples are bad remove them again, but then please also
> remove printenv and test-cgi which are basically same.
>
> Gün.
>
>
Here's a compromise. Use 2.4.x/STATUS to see if you get two more votes to
add the two new CGIs to the 2.4.x install. If two other people agree, I'll
be quiet. I know these files are under docs, but changing code that gets
installed should be voted on. (Even a recent tweak to printenv went
through STATUS.)
I don't think avoiding adding these new features requires removing the
existing, similar ones, though I'm +1 for removing the existing ones from
trunk.
Why can't a tiny example in the documentation show what is needed to have a
script that httpd can execute? The Windows platform documentation has a
few comments about CGIs and the CGI tutorial documentation has a tiny
amount of Windows information. Somewhere in there is a reasonable place to
document any Windows-specific issues in this area.
--
Born in Roswell... married an alien...
http://emptyhammock.com/
Re: svn commit: r1421184 - in /httpd/httpd/branches/2.4.x/docs/cgi-examples:
printenv.vbs printenv.wsf
Posted by Guenter Knauf <fu...@apache.org>.
Hi Jeff,
Am 15.12.2012 15:00, schrieb Jeff Trawick:
> On Thu, Dec 13, 2012 at 5:04 AM, <fuankg@apache.org
> <ma...@apache.org>> wrote:
>
> Author: fuankg
> Date: Thu Dec 13 10:04:51 2012
> New Revision: 1421184
>
> URL: http://svn.apache.org/viewvc?rev=1421184&view=rev
> <http://svn.apache.org/viewvc?rev=1421184&view=rev>
> Log:
> Added Windows CGI samples.
>
> Added:
> httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.vbs
> (with props)
> httpd/httpd/branches/2.4.x/docs/cgi-examples/printenv.wsf
> (with props)
>
>
> I don't understand why we ship this.
>
> If some Windows user wants to find out how to write a CGI script in yet
> another language they can bing it.
>
> We have had a couple of very basic examples from the dark ages of the
> web, and that is MUCH more than enough IMO, particularly since these
> particular examples are information leaks as soon as somebody enables them.
my motivation for these was that the .vbs is like a counterpart to
test-cgi, and for the .wsf BZ 51359 to show that we dont need another
shebang test in the code. These samples are in-active same as printenv
and test-cgi (no active shebang), and if we trust that a Unix admin
knows what he does when he activates them why dont we trust a Windows
admin too?
If you think those samples are bad remove them again, but then please
also remove printenv and test-cgi which are basically same.
Gün.