Skip to main content.
home | support | download

Back to List Archive

Re: What CGI is the best?

From: SRE <eckert(at)not-real.climber.org>
Date: Thu Dec 02 1999 - 00:01:37 GMT
At 09:35 AM 12/1/99 -0800, New Tecumseth Public Library wrote:
>Everything is indexing/searching properly and I'm ready to setup my web
>interface.  I was just wondering what CGI script everyone else is using

I got JSWISHI from James Dean Palmer, at
  http://www.tiger-marmalade.com/~james/code/

The thing I like the most is that he's isolated the CGI script itself
from the template which determines how the page looks. Changing the
text of the template does not risk damaging the script itself. Your
service provider might be more comfortable with you uploading a new
.html file every so often, as opposed to uploading a new .cgi file!

It worked just fine, but I couldn't resist tampering. Your post reminded
me that I didn't send him my final version... I made some security
improvements like NOT using backticks to run the swish-e program,
and I added some new features. I've used it on WinNT and FreeBSD,
both running Apache. The backtick removal trick kills WinNT because
NT does not fully implement fork/exec, so the backtick call is still
there in comments if you want to be unsafe again.

One cool feature of his script is check-boxes for various index
files. It searches the ones you select, extracting previews on the
fly, and shows matches separated by category. You can page through
matches in any of the categories, and you can jump to the section
showing matches from any of the categories. The template includes
a hook for local or remote help.

I'll send my latest version to James today, and if you want a copy
before he has time to digest it just send me an off-list request.
My mods are not intended to create a separate product, and he has
indicated a desire to fold them into his existing script.

(end of CGI notes, start of C notes!)

BTW, I've also made some improvements to the swish source and sent
it to the developers. I don't think they've had a chance to look at
what I did, but they have a copy. I will email the URL to anyone
who asks off-list.

My sysadmin would not let me install it "as is" because of some
security holes he perceived. I've fully commented all of the files
I changed, which include the README and many of the source files.

The main goal was to "protect" sprintf, strcat, and strcpy from
buffer overflow. They all have buffer size checks or use
length-limited replacement routines. This required adding args
to a couple of routines (like Stem())... most of the strcpy's
were fairly safe, but strcat in a loop is a scary thing and
the current source has some of that.

In addition, I added a missing "#include" to index.c (which has
been discussed several times on this email list but never done)
to avoid compiler warnings about function prototypes.

Finally, and perhaps this will generate the most concern, I put
some #ifdefs in swish.c and added a new Makefile target. You can
now build a "read-only" version of swish-e, called swish-search,
that can read index files but cannot write them. This makes for
a slightly safer environment, where even if a hacker gets past
your CGI he cannot cause the program to attempt writing files.
I didn't do a whiz-bang job, separating source files and all that,
but the CALLS TO routines which merge and create index files 
should be gone even if some of the routines are still linked in.
(This idea was prompted by Swish++, which I could never get to
compile but which has separate programs for creating and reading
the index files.)


SRE

mailto:eckert(at)not-real.climber.org | http://www.climber.org/eckert/
Info on peak climbing email lists mailto:info@climber.org

"Only those who will risk going too far
can possibly find out how far they can go."
  -- T. S. Eliot
Received on Wed Dec 1 16:42:39 1999