Perl & server side includes on a overloaded server - Perl Server Side CGI Scripting forum at WebmasterWorld - WebmasterWorld

Forum Moderators: coopster & phranque

Message Too Old, No Replies

Perl & server side includes on a overloaded server

How safe shtml really are? (server returning the source code)

explorador

2:02 am on Mar 23, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Hi webmasters, I'm wondering about the source code security on shtml files with perl code or server side includes. I searched on the web for answers but still no luck.

Per example: sometimes certain problems on a server may cause php files to be downloaded instead of executed (specially on peak times). I'm sure the server config has a lot to do with it. As far as my experience goes, my perl code never been compromised (or showed), the only problem if any was "internal server error" or "out of memory" when there is too much work at once (shared servers).

By now I came up with a solution on a project using shtml files, this can call and execute in place many perl files OR the best feature for me here is to execute conditions and show certain portions of the html and hidding the rest to the user.

PD. I have a lot of files that instead of turning into code inside a perl file I would like to keep them as html files for dreamweaver modifications on the file. Long explanation short: not always it will be us as programmers who will modify the layout (beyond css).

I know shtml files mean extra work on the server, but if a problem occurs, would the source code ever be compromised? showed to the user?

Thanks in advance.

phranque

4:01 am on Mar 23, 2010 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

there are three things you can do that will help to prevent code exposure and these methods are all mentioned in this Webmaster General thread:
Include File Is Not Working [webmasterworld.com]

- the include virtual [httpd.apache.org] SSI command
- the AddHandler Directive [httpd.apache.org] of the apache mod_mime module
- the ScriptAlias Directive [httpd.apache.org] of the apache mod_alias module

explorador

4:05 pm on Mar 24, 2010 (gmt 0)

WebmasterWorld Senior Member

10+ Year Member

Top Contributors Of The Month

Thanks phranque, I'm not sure I understand this is related to my question. Even so I read the info and it is useful for me in other ways.

What I meant is if at any time server side includes fail just like php files on certain situations (not regarding a bad config). Using SSI would help me a lot to preserve the original html files with their sections being editable in Dreamweaver while the scripts are only scripts.

My solution to this today is to keep the html files as they are and create perl files who would only read and print those html files. Why? I want to avoid copying the text and creating the perl file itself with the html inside. Keeping separate files sure means x2 files but I can (or anybody) can edit the html file and then upload it back to the server.

As for security, I found on the links you provide me something very useful that goes kinda like this: "you can run perl scripts outside the server cgi-bin but in case of failure the source code might be revealed... so, store the perl files ONLY inside the cgi-bin". That's what I always do and will keep doing, this solves my question in many ways.

So at the end I will avoid SSI, will keep using perl inside the cgi-bin and will add mod rewrite to the formula to have site.com/page.htm instead of the long url.

Thanks, the info was very useful.

phranque

4:22 am on Mar 25, 2010 (gmt 0)

WebmasterWorld Administrator

10+ Year Member

Top Contributors Of The Month

you are quite welcome - i was trying to point out how you can protect your code from exposure by method of invocation, file naming convention or location.