1 / 13

Common Gateway Interface (CGI current version 1.1)

Common Gateway Interface (CGI current version 1.1). a standard for external applications to interface with information servers such as HTTP servers http://hoohoo.ncsa.uiuc.edu/docs/cgi/overview.html

reginabutler
Télécharger la présentation

Common Gateway Interface (CGI current version 1.1)

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Common Gateway Interface (CGI current version 1.1) • a standard for external applications to interface with information servers such as HTTP servers • http://hoohoo.ncsa.uiuc.edu/docs/cgi/overview.html • These external applications typically help to relay info between httpd and other software systems,e.g., DB. This is how CGI gets its gateway name. • They are called CGI programs and can be written in any language that follows the CGI spec. PERL, PERL, Unix shell, C/C+, Fortran, TCL, Visual Basic • It is executed dynamically, provides dynamic content. C. Edward Chow

  2. CGI Security Concerns • CGI program runs with ID of the httpd (webuser in our case, nobody in many other web servers) • It can retrieve and overwrite files in directories which it has access permission! • “Security by Obscurity” Kept at different directory than that for web pages so bad guys can’t read, edit, analyze them for security holes. • Example on why apache by default does not allow to follow soft link (ln -s). Bad guy set up ln -s to a script.Then use web browser, through httpd (new permission as webuser) to retrieve the text of the script. C. Edward Chow

  3. Apache CGI Configuration • Allow read and execute access of the CGI programs, and possible write access to the data directories used by them. • ScriptAlias URLpath directorye.g., ScriptAlias /cgi-bin /mpc/home/<login>/sites/cgi-bin • Incoming url with /cgi-bin/echoorder.pl cause /mpc/home/<login>/sites/cgi-bin/echoorder.pl to run. C. Edward Chow

  4. Apache CGI Exercise 1 • cd /mpc/home/<login>/site.cgi/conf • Run sub.pl <your port#>. It will modify the go script and conf/httpd.conf • Start web server with go • On browser, retrieve http://bilbo:<port#>/form_summer.html • Fill the form and submit the query. • Observe the environment variables returned. C. Edward Chow

  5. Apache CGI Exercise 2 • The myecho is the object code for Freebsd. Recompile myecho with “make”. • cp form_summer.html form_summer2.html • Edit the form_summer2.html by replacing /cgi-bin/mycgi with /cgi-bin/myecho in <FORM> tagrename it as form_summer2.html • On browser, retrieve http://bilbo:<port#>/form_summer2.html • Observe the return web page. C. Edward Chow

  6. CGI.pm: A Perl5 CGI Library • Echoorder.pl and process.pl are written with the recent version 2.36 of CGI.pm by Lincoln Steinhttp://www-genome.wi.mit.edu/ftp/pub/software/WWW/cgi_docs.html • It provides functions for • parsing the querying string • creating web pages/fill-out forms • saving/retrieving the querying string to files • HTTP session variables • cookie, frame, javascript, and NPH support • Debug the perl script by ./<script>.plenter the query string, e.g., order1=3&order2=4 C. Edward Chow

  7. Passing Variables to CGI Program • SetEnv variable valueSetEnv VHOST customers, set env variable value. • PassEnv <host env variable>pass host environment variables to CGI program • Find out the browser and version numberBrowserMatch browserRE env[=val1] env2[=val2]browserRE regular expression match the value in User-Agent header, when matched env var. are set. • e.g., BrowserMatch ^Mozilla/[23] tables=3 java frame C. Edward Chow

  8. Apache Built-in Handlers • Perform certain actions when a file with particular MIME or handler type is called. • server-status: Get server’s current status • server-info: Get server’s configuration • server-parse: Parses server-side includes • AddHandler handler-name extensionmap filename extension to handler-name and wake up an existing handler. • e.g., AddHandler cgi-script cgitreat files with .cgi extension as executable CGI script C. Edward Chow

  9. SetHandler: Site.status • Include “SetHandler <handler-name>“ in block directives, such as <directory> <location> <files>Apply the transformation specified by handler-nameto all files in the block.ExtendedStatus On<Location /status><Limit GET>order deny, allowallow from 128.198deny from all</Limit>SetHandler server-status</Location> • Require mod_access. • Method in <limit> must be upper case, e.g., GET instead of getin Apache 1.2.5 <limit get> is ok but not in Apache 1.3.3. • allow from 128.198.0.0 is wrong resulting in forbidden access. • Append the above in httpd.conf, try http://bilbo:<portno>/status?refresh=5 C. Edward Chow

  10. Perform Filtering on Certain File Type • Site.filter demonstrates the compress of .html using gzip and save it as .zhtml file. • How much storage we save in a web site by using this? • Overheadcompression, modification of web pages! decompression on retrieval • Actually there is an error on index.zhtml • The httpd.conf includeAddHandler peter-gzipped-html ghtmlAction peter-gzipped-html /cgi-bin/unziphtml • Action <type> <cgi-script>pass file with type=<type> through <cgi-script> C. Edward Chow

  11. Site.Filter • unziphtml: #!/bin/sh echo "content-type: text/html" echo gzip -S .zhtml -d -c $PATH_TRANSLATED • gzip option: -c write output to stdout.-d decompress-S .zhtml use suffix .zhtml instead of .gz • Note that the .ghtml files got garbled. • mime.types file format does not allow .html.gz C. Edward Chow

  12. Compressing/Modifying Web Pages • The web pages provided in site.filter from CD-ROM is not correct. Please regenerate them with the following instruction. Note that before you compressed, you need modify the links to the compressed .zhtml files. • mv htdocs to htdoc.orig • mkdir htdocs; cd htdocs • cp ../../site.virtual/htdocs/customers/* . • Replace the <li><A href="catalog_summer.html">Summer catalog </A><li><A href="catalog_autumn.html">Autumn catalog </A>WITH<li><A href="catalog_summer.zhtml">Summer catalog </A><li><A href="catalog_autumn.zhtml">Autumn catalog </A> • Gzip *.html • Rename *.html.gz with *.zhtml C. Edward Chow

  13. Homework#4 Exercise 1: Setup site.cgi Exercise 2: Setup site.status Exercise 3: Setup site.filter. C. Edward Chow

More Related