Scriptage
03-27-2003, 05:45 AM
Hey,
I was reading the excellent tutorial by Vladdy about communicating with a server side file using javascript. Basically a new element is created in the head of a document with the source set to the cgi program; this means that all kinds of functions can be performed server side by using javascript (sort of).
So to the point....It's quite common that people on these forums ask if it is possible to make a guestbook etc using javascript. So I made a perl file that handles basic file i/o and returns the values in javascript. This essentially gives javascript the ability to read and write files from the server.
This is all well and good but...It gives hackers an easy way to get into the server and mess with stuff. So I was wondering is there any way to disallow calls from anywhere but files located on the server??? So pagex.html on my server could call to the perl program but someone on somesite.com/pagex.html couldn't?
I tried changing file permissions but that won't work. I thought about using the referer to check against but http headers can easily be forged.
If we can get this working then it will be benefical to all js users.
Imagine simply uploading a perl file to your cgi bin and being able to create a file simply by doing the following:
var fileName="somefile.txt";
var text = "hello world!";
file_write(fileName, text);
Thanks in advance
I was reading the excellent tutorial by Vladdy about communicating with a server side file using javascript. Basically a new element is created in the head of a document with the source set to the cgi program; this means that all kinds of functions can be performed server side by using javascript (sort of).
So to the point....It's quite common that people on these forums ask if it is possible to make a guestbook etc using javascript. So I made a perl file that handles basic file i/o and returns the values in javascript. This essentially gives javascript the ability to read and write files from the server.
This is all well and good but...It gives hackers an easy way to get into the server and mess with stuff. So I was wondering is there any way to disallow calls from anywhere but files located on the server??? So pagex.html on my server could call to the perl program but someone on somesite.com/pagex.html couldn't?
I tried changing file permissions but that won't work. I thought about using the referer to check against but http headers can easily be forged.
If we can get this working then it will be benefical to all js users.
Imagine simply uploading a perl file to your cgi bin and being able to create a file simply by doing the following:
var fileName="somefile.txt";
var text = "hello world!";
file_write(fileName, text);
Thanks in advance