Octave CGI pet project

classic Classic list List threaded Threaded
6 messages Options
Reply | Threaded
Open this post in threaded view
|

Octave CGI pet project

vrozos
Hi guys,

I prepared a pet project in Octave with the CGI package. You can visit
it here:

http://195.201.16.117/RocketBurnTime_theory.html

I am a little worried about security holes. A friend of mine told me CGI
scripts are not advisable anymore, frameworks like Django are used instead.

The server I am running the script is not critical, but it runs some
useful services.

Since this project is of no practical use, and because of the security
concerns, I am thinking of to turn it off, unless you think it would be
nice as an example of Octave capabilities.

Ideas?

Thanks

Evangelos Rozos



Reply | Threaded
Open this post in threaded view
|

Re: Octave CGI pet project

Andreas Weber-6
Am 20.03.20 um 12:39 schrieb Evangelos Rozos:
> http://195.201.16.117/RocketBurnTime_theory.html

Do you have the scripts online? I think the biggest problem is securing
your inputs for command injection. And of course It can make sense to
run something like this in a container.

-- Andy


Reply | Threaded
Open this post in threaded view
|

Re: Octave CGI pet project

vrozos
The scripts are in /usr/lib/cgi-bin/

-rwxr-xr-x  1 www-data www-data 1001 Mar 20 12:56 rocketburntime.cgi*
-rw-r--r--  1 www-data www-data 3688 Mar 20 12:52 RocketBurnTime_form.html
-rw-r--r--  1 www-data www-data 1775 Mar 20 12:58 rocketburntime.m

The main page is in /var/www/html/, the plot in /var/www/html/images.
Everything belongs to www-data.

But, before discussing security, do you think it has any significant worth
being online?



--
Sent from: https://octave.1599824.n4.nabble.com/Octave-General-f1599825.html


Reply | Threaded
Open this post in threaded view
|

Re: Octave CGI pet project

nrjank
In reply to this post by vrozos
On Fri, Mar 20, 2020 at 7:39 AM Evangelos Rozos <[hidden email]> wrote:
Hi guys,

I prepared a pet project in Octave with the CGI package. You can visit
it here:

http://195.201.16.117/RocketBurnTime_theory.html

I am a little worried about security holes. 

For that reason alone, it's generally customary to provide at least a short description of what's on the other side of that link, why I might want to click through to it, etc. 


Reply | Threaded
Open this post in threaded view
|

Re: Octave CGI pet project

vrozos
Reply | Threaded
Open this post in threaded view
|

Re: Octave CGI pet project

Francesco Potortì
In reply to this post by vrozos
>I prepared a pet project in Octave with the CGI package. You can visit
>it here:
>
>http://195.201.16.117/RocketBurnTime_theory.html
>
>I am a little worried about security holes. A friend of mine told me CGI
>scripts are not advisable anymore, frameworks like Django are used instead.

I have an old script running on a web server at
http://wnet.isti.cnr.it/software/damatfrc/

It is the output of some computations I had made.  Complete source and
details are available on the web page, together with interactive
parameter settings and plot drawing.  It was made before the cgi package
ever existed, and takes care of checking paramter inputs (which is
relatively easy, as they are all numeric).

--
Francesco Potortì (ricercatore)        Voice:  +39.050.621.3058
ISTI - Area della ricerca CNR          Mobile: +39.348.8283.107
via G. Moruzzi 1, I-56124 Pisa         Skype:  wnlabisti
(gate 20, 1st floor, room C71)         Web:    http://fly.isti.cnr.it