Apache/CGI

From Wikibooks, open books for an open world
Jump to navigation Jump to search
Security Apache
CGI
TOC

CGI scripts[edit]

The CGI (Common Gateway Interface) is a norm permitting Apache to execute some programs, which can be written in any programming language (Bash, C, Java, Perl, PHP, Python...), from the moment it's executable and it respects certain in/out constraints.

Configure the CGI scripts access[edit]

To make Apache interpret the scripts, it's necessary to do a minimum of settings in the site configuration.

ScriptAlias[edit]

The directive (from httpd.conf):

 ScriptAlias /cgi-bin/ ''/scripts path/''

precise the folder name where Apache is authorized to executer the CGI scripts.[1]

Unix example:

 ScriptAlias /cgi-bin/ /var/www/cgi-bin

Windows example, use the URL format (no backslash):

 ScriptAlias /cgi-bin/ "C:/wamp/bin/apache/apache2.2.27/cgi-bin/"

Actually the path /cgi-bin/ doesn't really exist, it's redirected to the scripts path, set by the directive, and it allows to write some URL like http://server/cgi-bin/my_script.

ExecCGI[edit]

The following clause activates the option ExecCGI in /var/www/cgi-bin, which authorize Apache to execute some scripts on the server:

 <Directory /var/www/cgi-bin>
   Options ExecCGI
 </Directory>

For example, if a script is called essai.cgi into /home/httpd/cgi-bin:

 <Directory /home/httpd/cgi-bin>
   Options ExecCGI
 </Directory>

Then, call the URL: http://serveur/cgi-bin/essai.cgi

AddHandler[edit]

This clause permits to choose the files extensions which will be authorized, eg:

 AddHandler cgi-script .cgi .exe .pl .py .vbs

Recapitulation[edit]

Full example on Windows, in the Apache configuration:

 ScriptAlias /cgi-bin/ "E:/www/cgi-bin/"
 <Directory "E:/www/cgi-bin/">
   Options FollowSymLinks Indexes
   AllowOverride All
   Order deny,allow
   Allow from all
   Require all granted		
 </Directory>

In E:/www/cgi-bin/.htaccess :

 AddHandler cgi-script .cgi .exe .pl .py .vbs

Write a CGI program[edit]

The main constraint concerns the program outputs. If a CGI script generates some data on its standard output, he must display an HTTP header before, allowing to identify them.

Bash[edit]

#!/bin/bash

# Header
echo "Content-type: text/html"

# Header end
echo ""

# Content to display in the navigator
echo "<html><body>Hello World!</body></html>"

This script generates an HTML page.

Perl[edit]

#!c:/perl/perl/bin/perl.exe -w
use CGI;
my $query = new CGI;
my $Name = $query->param('Name');
print $query->header();
print "Hello World!"

Python[edit]

#!C:\Program Files (x86)\Python\python.exe
# -*- coding: UTF-8 -*-
print "Content-Type: text/plain;charset=utf-8"
print
print "Hello World!"

VBS[edit]

For Windows.[2]

'!c:/windows/system32/cscript //nologo
Wscript.Echo "Content-type: text/html" & vbLF & vbLF
WScript.Echo "Hello World!"
Wscript.Quit 0

Known errors[edit]

  • Error 500 Server error!: replace a Deny from all by a Allow from all.

or

# setsebool -P httpd_enable_cgi 1
# chcon -R -t httpd_sys_script_exec_t cgi-bin/your_script.cgi
  • Error 403 Forbidden access: impossible to list this folder, so call directly its files.
  • If the file source code is appearing in the navigator: the .htaccess is not properly set.
  • couldn't create child process: replace the path after shebang. For example:
    #!/usr/bin/perl par #!c:/perl/perl/bin/perl.exe -w.
    #!/usr/bin/env python par #!C:\Program Files (x86)\Python\python.exe.
  • End of script output before headers: missing header (eg: move the importation before print "Content-Type: text/plain;charset=utf-8"). But it can also be the symptom of a compilation error in the script language.
  • malformed header from script: Bad header: : the header is not adapted (eg: replace #print "Content-Type: text/plain;charset=utf-8" by print "Content-type: text/html\n\n" if there is a print "<html>" after).

Otherwise consult the Apache logs...

References[edit]

  1. http://httpd.apache.org/docs/current/en/howto/cgi.html
  2. http://wiki.uniformserver.com/index.php/CGI:_VBScript_CGI