perl scripts in dlr/EDIT show code in browser

Project:RUcore dlr/EDIT
Version:7.6.1
Component:Code
Category:bug report
Priority:critical
Assigned:triggs
Status:closed
Description

Now that dlr/EDIT has moved away from using the authenticate database
all of the perl scripts in the dlr/EDIT directory will show the source code
if the URL is entered in the browser

Example <a href="http:///mss3.libraries.rutgers.edu/dlr/EDIT/findsigs4.pl" title="http:///mss3.libraries.rutgers.edu/dlr/EDIT/findsigs4.pl">http:///mss3.libraries.rutgers.edu/dlr/EDIT/findsigs4.pl</a>

I assume this happens because only *.php files are being redirected
for sso.

There are 99 *.pl scripts still in dlr/EDIT that are still being delivered in
the code to the production repository. Did we not state that all perl
scripts were to be converted to php?

./cleanfed.pl
./testmarc2.pl
./chxml.pl
./findds.pl
./dcfilter.pl
./purgeplain.pl
./findobjects.pl
./listds.pl
./testmarc.pl
./parsexml2.pl
./xmldisplay.pl
./zapsigs.pl
./parsefedoraxml2.pl
./getdelds.pl
./newest-purgeds.pl
./setsort.pl
./parseaf.pl
./compchecksum.pl
./parselist.pl
./purgeds.pl
./ingestonly.pl
./parsesql.pl
./getds.pl
./daily.pl
./addrdfds.pl
./finddsversions.pl
./getds2.pl
./purgeobj.pl
./moddsv.pl
./ingestobj3.pl
./getdeldslinks.pl
./findrels.pl
./addrels.pl
./compchecksumlite.pl
./getcollection.pl
./findobj.pl
./jat-notification/loop.pl
./getpid.pl
./xpath/class/doc/GeneratePhpDocumentation.pl
./xpath/matt_xpath.pl
./xpath/validate.pl
./xpath/test2.pl
./xpath/validate-fox.pl
./xpath/dmvalidate.pl
./getcolls.pl
./getcollhits.pl
./notification/loop.pl
./hasmarc.pl
./XMLFORM/moddsr2.pl
./XMLFORM/xmldisplay.pl
./XMLFORM/older-getdsedit.pl
./XMLFORM/getdsedit-to-100212.pl
./XMLFORM/moddsv2.pl
./XMLFORM/new-moddsv2.pl
./XMLFORM/getdsedit.pl
./soaptest.pl
./getdeldspage.pl
./getds3.pl
./moddsr.pl
./findsigs2.pl
./putpid.pl
./parsefedoraxmlframessql.pl
./findsigs3.pl
./diffcolor.pl
./getformat.pl
./changeleftyhandles.pl
./new-purgeds.pl
./parselist2.pl
./redosigs.pl
./getrels2.pl
./findsigs.pl
./handleparser.pl
./getdspage.pl
./ingestonlyfile.pl
./getobj.pl
./vdate.pl
./putcheck.pl
./runpurge.pl
./purgerels.pl
./getrels.pl
./recfilter.pl
./new-addds.pl
./addchecksum.pl
./ingest.pl
./getfedoraoai-stream.pl
./addds.pl
./findsigs4.pl
./getdissid.pl
./exportobj.pl
./new-getcollection.pl
./apilynx.pl
./prepmods2marc.pl
./purgedslinks.pl
./affiltersql.pl
./domods.pl
./notification_7.6/loop.pl
./modifyobj.pl
./oldnotification/loop.pl

Comments

#1

Thanks Dave for noticing these. Most of these are either useful tools (e.g., chxml.pl that shouldn't live in EDIT) or support scripts (e.g., putcheck.pl) that are no longer being used by anything in dlr/EDIT where the functionality has been converted to PHP. [In one of two instances, the perl script was maintained for backward compatibility though it now only called a PHP script through a socket.] If they are not already out of the tree or in .cvsignore, they should and can be moved to one of these. They would always have shown (just like php inc files) if someone who knew their names from looking at the file system put them into a url. The apache directory listing is disabled as usual.

#2

I've cleaned out all the old files that no longer had a function. There will be a much smaller footprint for dlr/EDIT going forward. I've also added a few of htaccess rules that will prevent certain files from displaying in a browser:
<files ~ "\.pl$">
Order allow,deny
Deny from all
</files>
<files ~ "\.inc$">
Order allow,deny
Deny from all
</files>
<files ~ "\.sh$">
Order allow,deny
Deny from all
</files>
This url:
<a href="http://rep-test.libraries.rutgers.edu/dlr/EDIT/findsigs4.pl" title="http://rep-test.libraries.rutgers.edu/dlr/EDIT/findsigs4.pl">http://rep-test.libraries.rutgers.edu/dlr/EDIT/findsigs4.pl</a>
now generates:
Forbidden

You don't have permission to access /dlr/EDIT/findsigs4.pl on this server.
etc.

#3

Status:active» test

#4

Status:test» fixed

I tested a few of the scripts listed here and got "You don't have permission to access /dlr/EDIT/xxxx.pl" message.

#5

Status:fixed» closed

Back to top