0

I'm on a hosted linux web server running Apache 2.2.25. The following shtml just shows the contents of the perl script rather than executing the script. I understand that the script runs from ssh (I don't have access to ssh). I'm sure I'm missing something in the .htaccess file. Any help would be gratefully received.

shtml

<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
<head>
<meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
<title>Perl</title>
</head>
<body>

<!--#exec cgi="cgi-bin/test.pl"-->

</body>
</html>

perl (test.pl)

#!/usr/bin/perl
print "HELLO FROM PERL";

.htaccess

AddHandler cgi-bin .pl .cgi
AddType text/html .shtml .php
AddOutputFilter INCLUDES .shtml .php

Options +Includes
Head for the hills
  • 3
  • 1
  • 3

1 Answers1

0

ExecCGI

I'm guessing your cgi-bin directory is not ScriptAlias'ed, in which case you will need to use the ExecCGI option in addition to setting a handler:

AddHandler cgi-script .cgi .pl
Options +ExecCGI

Also make sure that Apache has execute permissions for your scripts. See Configuring Apache to permit CGI for details.

#include virtual

Also, you should use the SSI command #include virtual instead of #exec cgi:

<!--#include virtual="/cgi-bin/test.pl" -->

According to the Apache manual:

The use of #include virtual is almost always prefered to using either #exec cgi or #exec cmd. The former (#include virtual) uses the standard Apache sub-request mechanism to include files or scripts. It is much better tested and maintained.

What's worse, #exec can be used to run arbitrary code on your web server. It's actually best to disable it completely:

Options +IncludesNOEXEC

#include also allows you to pass arguments to your CGI via the query string, e.g.

<!--#include virtual="/cgi-bin/test.pl?arg1=foo&arg2=bar" -->

which you can't do with #exec.

Note that the argument you pass to #include virtual is a URL relative to the current document, not a file path.

I would recommend reading Apache's Introduction to Server Side Includes if you haven't already.

XBitHack

Finally, instead of requiring SSI files to have a special file extension (.shtml), I prefer to use the XBitHack directive:

XBitHack on

Any text/html file with the user execute bit set will be parsed for SSI. This means you don't have to rename files (possibly breaking links or users' bookmarks) when you want to add SSI to them.

Putting it all together, I would set .htaccess like this:

AddHandler cgi-script .cgi .pl
Options +ExecCGI +IncludesNOEXEC
XBitHack on
ThisSuitIsBlackNot
  • 23,492
  • 9
  • 63
  • 110
  • I made the changes you suggested (thanks) and get the error **unable to include potential exec "/cgi-bin/test.pl" in parsed file /home/.../public_html/.../perl.shtml**. – Head for the hills Jan 25 '14 at 08:09
  • @Headforthehills 1) Does the Apache user have execute permissions on `test.pl`? 2) Try removing the leading `/` from the URL in the `#include`: ` – ThisSuitIsBlackNot Jan 27 '14 at 20:30