Mailing List Archive

>In the Perl32 FAQ it says
>>>
>3. Is it possible to get https (EMWAC) to run a perl script?
>
> EMWAC and NT Perl5 work just fine together. Emwac handles CGI
> scripts in a slightly different way than most Web servers, however.
> When you specify the URL for a perl script, you need to specify the
> perl5 program, and the path to your perl script relative to your http
> document directory. For example:
> http://www.foo.com/cgi-bin/perl.exe?cgi-bin/archie.pl On the Netscape
> NT server, this would be http://www.foo.com/cgi-bin/perl.exe?archie.pl
> This would run the archie.pl script in your /https/cgi-bin/archie.pl
> directory, assuming that perl.exe is also in your cgi-bin directory.
>>>
> Actually - you don't need to do this. I don't know who to mail to get
> this changed, so I thought I'd post it here.
>
> I have EMWAC (0.99) and Perl for NT (build 091-i86) running and have
> successfully run perl scripts with just
> http://www.foo.com/cgi-bin/archie.pl

Yes, this is dangerous in the extreme . Here's my canned
warning that I send out several times a day to people
who haven't realized the danger they're in yet.

--tom

Subject: Your frightening posting about cgi and perl

I noticed you mention doing a remarkably dangerous thing. Perhaps
you read about it on
http://home.netscape.com/assist/support/server/tn/windows-nt/20202.html,
where I found the following terrifying advice:

The syntax for calling a Perl CGI script from one of your pages on a
Windows NT web server is different from the syntax used on Unix. You
need to put a copy of PERL.EXE into your cgi-bin directory, and use
this kind of anchor to it:

<A HREF="/cgi-bin/perl.exe?foo.pl">...</A>

In other words, you call PERL.EXE with "foo.pl" as its argument.

At risk of repeating myself....

**DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT**

I see no end of people taking this advice and writing

<A HREF="http://myhost.com/cgi-bin/perl.exe?foo.pl">...</A>

which means anyone else is quite able to do a GET on something like

http://myhost.com/cgi-bin/perl.exe?-e?'format?c:'

And format their disk or whatever they feel like.

Either I am deeply misunderstanding something about what they've done to
perl on those systems, or else this misguide advice ends up being an
accidental invitation to have your system abused beyond your wildest
dreams.

I have reported this severe doc bug to netscape, but so far there has
been neither a change to the page nor a response, so I decided it's
best to tell the world.

--tom

I have written a free Gateway for CMD.exe, Sh.exe and Perl.exe,
called CGI2Shell Gateway for EMWAC HTTPS. It allows to
start the scriptr for those Programs without having the
shell in the www document tree. It also looks explicit
for an script. So I think it is safe.

The new Version also supports Netscape Servers!

Have a look at
http://rick.wzl.rwth-aachen.de/rickg/cgi2shell/

Merry Xmas
Rick

> To: pcalvert@ECONOMICS.ADELAIDE.EDU.AU
> Copies to: ntperl@mail.hip.com
> Subject: Re: danger in NTFaq, and looking for find&replace
> Date sent: Thu, 21 Dec 95 23:04:12 MST
> From: Tom Christiansen <tchrist@mox.perl.com>

> >In the Perl32 FAQ it says
> >>>
> >3. Is it possible to get https (EMWAC) to run a perl script?
> >
> > EMWAC and NT Perl5 work just fine together. Emwac handles CGI
> > scripts in a slightly different way than most Web servers, however.
> > When you specify the URL for a perl script, you need to specify the
> > perl5 program, and the path to your perl script relative to your http
> > document directory. For example:
> > http://www.foo.com/cgi-bin/perl.exe?cgi-bin/archie.pl On the Netscape
> > NT server, this would be http://www.foo.com/cgi-bin/perl.exe?archie.pl
> > This would run the archie.pl script in your /https/cgi-bin/archie.pl
> > directory, assuming that perl.exe is also in your cgi-bin directory.
> >>>
> > Actually - you don't need to do this. I don't know who to mail to get
> > this changed, so I thought I'd post it here.
> >
> > I have EMWAC (0.99) and Perl for NT (build 091-i86) running and have
> > successfully run perl scripts with just
> > http://www.foo.com/cgi-bin/archie.pl
>
> Yes, this is dangerous in the extreme . Here's my canned
> warning that I send out several times a day to people
> who haven't realized the danger they're in yet.
>
> --tom
>
> Subject: Your frightening posting about cgi and perl
>
> I noticed you mention doing a remarkably dangerous thing. Perhaps
> you read about it on
> http://home.netscape.com/assist/support/server/tn/windows-nt/20202.html,
> where I found the following terrifying advice:
>
> The syntax for calling a Perl CGI script from one of your pages on a
> Windows NT web server is different from the syntax used on Unix. You
> need to put a copy of PERL.EXE into your cgi-bin directory, and use
> this kind of anchor to it:
>
> <A HREF="/cgi-bin/perl.exe?foo.pl">...</A>
>
> In other words, you call PERL.EXE with "foo.pl" as its argument.
>
> At risk of repeating myself....
>
> **DO NOT DO THAT**
> **DO NOT DO THAT** **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** **DO NOT DO THAT**
> **DO NOT DO THAT** **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** !!!! **DO NOT DO THAT**
> **DO NOT DO THAT** **DO NOT DO THAT**
> **DO NOT DO THAT**
>
> I see no end of people taking this advice and writing
>
> <A HREF="http://myhost.com/cgi-bin/perl.exe?foo.pl">...</A>
>
> which means anyone else is quite able to do a GET on something like
>
> http://myhost.com/cgi-bin/perl.exe?-e?'format?c:'
>
> And format their disk or whatever they feel like.
>
> Either I am deeply misunderstanding something about what they've done to
> perl on those systems, or else this misguide advice ends up being an
> accidental invitation to have your system abused beyond your wildest
> dreams.
>
> I have reported this severe doc bug to netscape, but so far there has
> been neither a change to the page nor a response, so I decided it's
> best to tell the world.
>
> --tom
>
>
=========================================================
\ Richard Graessler /
/-------------------------------------------------------\
\ WZL der RWTH Aachen (Aachen University of Technology) /
\ Steinbachstr. 53B, D-52056 Aachen, Germany \
/-------------------------------------------------------/
\ phone: +49 (241) 80 7381 fax: +49 (241) 8888 293 \
/ email: R.Graessler@wzl-ps1.wzl.rwth-aachen.de /
\ lifetime email: rickg@pobox.com \
=========================================================
The opinions expressed here are my own and must not
reflect the opinions of my employer or the university.

Hello,

Isnt it true that the -e flag in NTPerl5 is not supported? For this very
reason?

Raymond Forbes
ITG Messaging Operations

----------
From: Tom Christiansen[SMTP:tchrist@mox.perl.com]
Sent: Thursday, December 21, 1995 10:04 PM
To: pcalvert@ECONOMICS.ADELAIDE.EDU.AU
Cc: ntperl@mail.hip.com
Subject: Re: danger in NTFaq, and looking for find&replace

>In the Perl32 FAQ it says
>>>
>3. Is it possible to get https (EMWAC) to run a perl script?
>
> EMWAC and NT Perl5 work just fine together. Emwac handles CGI
> scripts in a slightly different way than most Web servers, however.
> When you specify the URL for a perl script, you need to specify the
> perl5 program, and the path to your perl script relative to your http
> document directory. For example:
> http://www.foo.com/cgi-bin/perl.exe?cgi-bin/archie.pl On the Netscape
> NT server, this would be http://www.foo.com/cgi-bin/perl.exe?archie.pl

> This would run the archie.pl script in your /https/cgi-bin/archie.pl
> directory, assuming that perl.exe is also in your cgi-bin directory.
>>>
> Actually - you don't need to do this. I don't know who to mail to get
> this changed, so I thought I'd post it here.
>
> I have EMWAC (0.99) and Perl for NT (build 091-i86) running and have
> successfully run perl scripts with just
> http://www.foo.com/cgi-bin/archie.pl

Yes, this is dangerous in the extreme . Here's my canned
warning that I send out several times a day to people
who haven't realized the danger they're in yet.

--tom

Subject: Your frightening posting about cgi and perl

I noticed you mention doing a remarkably dangerous thing. Perhaps
you read about it on
http://home.netscape.com/assist/support/server/tn/windows-nt/20202.html,
where I found the following terrifying advice:

The syntax for calling a Perl CGI script from one of your pages on a
Windows NT web server is different from the syntax used on Unix. You
need to put a copy of PERL.EXE into your cgi-bin directory, and use
this kind of anchor to it:

<A HREF="/cgi-bin/perl.exe?foo.pl">...</A>

In other words, you call PERL.EXE with "foo.pl" as its argument.

At risk of repeating myself....

**DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** !!!! **DO NOT DO THAT**
**DO NOT DO THAT** **DO NOT DO THAT**
**DO NOT DO THAT**

I see no end of people taking this advice and writing

<A HREF="http://myhost.com/cgi-bin/perl.exe?foo.pl">...</A>

which means anyone else is quite able to do a GET on something like

http://myhost.com/cgi-bin/perl.exe?-e?'format?c:'

And format their disk or whatever they feel like.

Either I am deeply misunderstanding something about what they've done to
perl on those systems, or else this misguide advice ends up being an
accidental invitation to have your system abused beyond your wildest
dreams.

I have reported this severe doc bug to netscape, but so far there has
been neither a change to the page nor a response, so I decided it's
best to tell the world.

--tom

> From: "Raymond Forbes (CompuCom)" <a-rayf@microsoft.com>
>
> Hello,
>
> Isnt it true that the -e flag in NTPerl5 is not supported? For this very
> reason?

If that's the case (-e being unsupported) then it's both misguided and broken.

> Raymond Forbes
> ITG Messaging Operations

> ----------
> From: Tom Christiansen[SMTP:tchrist@mox.perl.com]
>
> I noticed you mention doing a remarkably dangerous thing. Perhaps
> you read about it on
> http://home.netscape.com/assist/support/server/tn/windows-nt/20202.html,
> where I found the following terrifying advice:
>
> The syntax for calling a Perl CGI script from one of your pages on a
> Windows NT web server is different from the syntax used on Unix. You
> need to put a copy of PERL.EXE into your cgi-bin directory, and use
> this kind of anchor to it:
>
> <A HREF="/cgi-bin/perl.exe?foo.pl">...</A>
>
> In other words, you call PERL.EXE with "foo.pl" as its argument.
>
> At risk of repeating myself....
>
> **DO NOT DO THAT**

Tim.