Professional Documents
Culture Documents
To login to Zenit account, just ssh it like ssh zenit.senecac.on.ca and enter that Zenit
account information.
https://scs.sene HYPERLINK "https://scs.senecac.on.ca/~int420/" HYPERLINK
"https://scs.senecac.on.ca/~int420/" HYPERLINK "https://scs.senecac.on.ca/~int420/"c
HYPERLINK "https://scs.senecac.on.ca/~int420/" HYPERLINK
"https://scs.senecac.on.ca/~int420/" HYPERLINK
"https://scs.senecac.on.ca/~int420/"ac.on.ca/~int420/
Course is focused on 3 main things:
Apache
CGI scripts using Perl.
HTTP
CGI = Common Gateway Interface - It is, in simplest terms, programming for the web.
A CGI can be written in any language, but we focus on Perl. Perl is a scripting language
while HTML is a web developing language.
CGIs are what make webpages like Amazon & Yahoo run, as you can use them to
create forms the user can fill out, or even a simple counter to let people know how many
viewers the website has had.
Perl is an interpreted language, meaning that you dont have to compile it. You just write
it and run it. The disadvantage is you cannot find any bugs within the script until you run
it.
Child processes are responsible for sending back a response. Child process gets
resource from disk, create HTTP response headers. If all child processes are used, the
daemon will create a new one. Body of response packet will contain one of four things,
either the request resource ( if request was successful), error document (if not
successful), output of script, directory index (listing).
The httpd sends a request to the HTTP server in port 80. This then is assigned to an
httpd parent process which will then assign this to the first available child process. Which
will read the resource. Then the child process sends an HTTP Response.
When the server responds, it sends a HTTP response packet. In the response headers,
there will be instructions for the browser. For example, status (was the request
successful or did it have an error), what character coding you used, what the server OS
is. Most important piece of information is status code tho.
Status codes for HTTP fall in 4 categories:
200 - Indication of success. Request was successful. Most common one: 200.
300 - Redirection. Tells client to get resource from somewhere else. For example, 301,
302, 304
400 - Client side error. Most common ones 401 (AUTHENITICATION), 403 (Permission)
and 404. (Its broken)
500 - Server side errors. Most common one is 500 which means internal server error.
Youll get this most likely when a script fails to execute properly on the server. 502 is
when server is overloaded AKA it is very busy.
One request will not remember any information from previous request. transaction based
protocol not connection oriented. Everything is individualized.
Headers contain various kinds of info that are requested and responded, things like
passwords, version and OS System are displayed here.
Get Get required Resources
Post- Send form data to the server
Head- Return the header only
In HTTP request packet, the body will only be used if youre using POST method, but the
head of the HTTP request packet can be used if you use the methods HEAD, GET and
POST.
Header can contains, resource, HTTP version, environment variables, Cookies,
Authorization, caching info, form data.
In HTTP response packet, HEAD is not visible to your browser, body is visible. HEAD
contains status code, content type, content length, cookie, environment variables,
location. BODY contains requested files, or error page, or output from script, or directory
listing.
What separates the header and body is always a blank line.
one element. If we want to call out multiple elements, we have to use @. For example,
printf @months[1,2];
Hashes - Hold pairs of data names (keys) and data values (values)
Names start with %. Example of declaring a hash, %aboutme={name,Brian,age,45};
You can have as many as you want, but it has to be in the order of key & value. In our
example, name is a key and Brian is a value. Age is a key and 45 is a value.
printf $aboutme{age}; this would look for the key age and print the value which is 45.
You can only call out one key at a time not multiple like in arrays.
-w when put after the shebang line (#!/usr/bin/perl -w) is an option that means display
any warnings.
To obtain input from user,we would do: $you= <STDIN>;
The function chomp removes the new-line character from the end of a piece of data.
We could use it after gathering input from user like this: chomp($you);
To comment out something in a Perl script, just use # symbol.
Any calculations put within quotes will be printed out literally. For example 5+3 would
literally print 5+3 not 8. Those outside the quotes would be calculated.
Incremental operator is for example: $a++; This would increment the a variable by 1.
The function localtime would print out the system date/time stamp.
To call out elements in an array, we could use a foreach loop.
This is the syntax: foreach (@colours)
{
printf $_\n;
}
$_ is the default variable name, you would use it if you dont specify any variables in
your foreach statement.
Another example of a foreach loop would be: foreach $i (@colors) { printf $i\n;}
The function pop in an array would remove the last element from an array and assign it
to a variable. For example, $lastelement=pop(@colors); You could use pop without
assigning to a variable but it would just remove the element and nothing else.
The function shift would remove the first element and assign it to a variable. Its the
opposite of pop. Example, $firstlement=shift(@colors)
The function push would add elements to the end of an array. For example:
@morecolours = (purple,teal,red);
push (@colors,@morecolours);
The function delete would delete certain elements from an array or keys from a hash.
You can do this by typing delete(@colours[2]); where colours is the name of the hash
and 2 is the number of the index in which in the element is in.
You can also write the name of the key like this delete(@colors{foo})
http://perl.about.com/od/programmingperl/qt/perldelete.htm
http://perldoc.perl.org/functions/delete.html
The function sort does NOT change the contents of an array, all it does is output the
contents of the array in sorted order. To have a changed array: you can use it like :
@sortedlist=sort(@colors);
To find the last element number in an array, you would do: printf the last element \# in
the array is , $#colours \n;
To find the actual length of an array ( how many elements are in it), use the scalar
function like this: scalar(@colors);
The function reverse would print the elements in reversed order. Example:
reverse(@colors)
The join function joins elements of array into a single string and you can specify the
separator. For example, join(", ",@colors) would print out "black, magenta, cyan, blue,
green". and
join (--,@colors); would do the same but it would put -- instead of a comma.
join (--,keys %courses)
You can do custom quoting in Perl, which basically helps when youre trying to print a
line that has double quotes in it but you dont want it to get mixed up with the double
quotes you use for the printf command. You can use the qq function for this like this:
printf qq~blablablablablafd~;
This basically makes the tilde symbol ~ act as a double quote so that the information
within does not get mixed up because we have multiple double quotes in our line. You
can use anything except the tilde. 7
The qw function would go and quote each word when youre declaring an array, so you
dont manually have to put a quote for each word and separate them by a comma. You
can ujst do @months = qw(firstelement secondelement thirdelement);
or @months = qw/firstelement secondelement thirdelement/;
When youre using brace expansions in Perl, such as [1..9] it has to be ascending and
wont work if its descending.
Perl syntax is flexible and you can do something in more than one way. For example,
when making hashes, you can either do %courses = ( int420, internet II, ndd430,
network diagnostics); OR %courses = ( int420 => internet II, ndd430 => network
diagnostics);
The error directory contains HTML error documents HTML errors such as 404
and 501.
The manual directory contains all apache documentation in HTML format.
To see if you can access your own apache server, type zenit.senecac.on.ca:8012 on
your browser but change the port to your own.
httpd.conf contains comments and directives. serverroot tells where apche was
listen specifies port numbers that apache server will listen.
if you want multiple port numbers, you can add multiple Listen directives. for example
having two lines, one being Listen 80 and another one being Listen 8083
User directive tells you which user is running apache and group directive
ServerAdmin directive is the email of server administrator.
The DocumentRoot directive identifies where the document root is.
Series of directory containers which give access to various parts of the file system using
HTTP.
First configured directory is system root, by default nobody is allowed to use HTTP to
access system root. never ever change that. 2 directives used in this container, order
directive and allow/deny. Order deny, allow. Tells us which order to apply the rules, deny
rules first or allow rules first. By default, it will apply the deny rules. So if you have deny
and allow after it, it will deny first, then allow one user. if you change it to apply allows
first, it will allow that user first and deny everything so in the end no one will have
access.
You can have multiple directory containers.
We can make a new one for our document root. Its rules are Order allow, deny. Allow
from all. This makes everyone able to access the htdocs directory which is the root of
our website. We want this.
ErrorLog directive tells you where error logs are stored.
LogFormat directive will allow you to customize the format in which your error logs are
outputted.
ScriptAlias directive tells us that if the user puts cgi-bin in the browser it will go to
/home/baabbasi/apachebg/cgi-bin and execute the script but not read the code. When
we access a script via ScriptAlias by default, they can only execute scripts not read
them.This alias is only for a whole directory not a file, so when you set it up they only
have to write the names of the scripts in the browser bar to execute them because the
system will go to the directory you specified in the ScriptAlias and grab the
corresponding script.
You would have to add in another directory container for the cgi-bin because by default
its denied for access by users.
Virtual hosting is when you host two different websites that are completely seperate. 3
ways to configure virtual hosting:
Using Host headers. We have a server running with an IP server on the network,
in the request, it tells the server which host its looking for. Theres an actual
header, beyond whats included in the URL, that tells the server which host the
client is looking for. For example, if you are hosting both McDonalds and Burger
King, your server will have the same IP for both. It is up to the host header to
determine which one of us these the client will go to. It will redirect the client to
the document root of the specific host.
IP address based virtual host. What we do in that scenario is we actually have
our server configured with multiple IPs via different interfaces. So depending on
which IP the user accesses through which interface, the server will decide which
document root they will access.
Port based virtual host. In here, the server can listen to multiple ports. So
depending on the port that client uses to connect to the server, the server will
give them access to the appropriate document root. This is the one we use in
Seneca because we cant do the other 2 methods because of Zenit restrictions.
Keep in mind that when youre doing virtual hosting, you would ideally have to create
separate directory for each of them like separate cgi-bin directory, error log directory,
document root, and access logs so their information does not get mixed up together.
To set up port-based virtual hosts, you have to include the supplemental configuration.
Just uncomment the line that has the line starting with Include and has something
about virtual hosts.
To configure virtual hosts, edit the conf/extra/httpd-vhosts.conf file
When we request a directory, it looks at the Directory directive and looks like for the
directory index file (index.html) and give you that one.
If it does not have an index file, it will look like options indexes, if the index option is
allowed, it will send a directory listing of whats in that directory.
If it does not have the options indexes, it will give error 403 code ( Forbidden ).
In order to add an options index to a directory so that the client can list the directory, add
the line Options Indexes to the directory container in the configuration file.
In conf/httpd.conf, the dir_module can change the behaviour of Apache when a client
requests a directory.
You can customize error pages via the main configuration file conf/httpd.conf.
First test is based on Week 2 and 3 labs. DO THEM.
While adding aliases in the httpd.conf file, the ScriptAlias would allow the scripts to be
executed.
When you just put Alias instead of ScriptAlias, it allows the scripts to be read my users.
Dont put any other thing other than Alias and ScriptAlias. NOTE: These are NOT the
alias names, but the alias types.
To set up port based vhosts:
Comment out the line NameVirtualHost *:80 at the top of the conf/extra/httpdvhosts.conf file then edit the lines below it. Change the document roots and make sure
you open up the directories of them below.
When you send zenit.senecac.on.ca/docs that means you want to look for a file named
docs. If docs doesnt exist as a file, it will try to look for a directory named docs. If you do
zenit.senecac.on.ca/docs/ then that will look for a directory named docs.
Perl stores environment variables in $ENV. For example, if you want to see the users
browser, do a printf and call out $ENV{HTTP_USER_AGENT}.
$ENV{QUERY_STRING} contains the element names and values that the user puts if
they are filling out a form. This is the data that would display on the top of the browser
after a question mark. For example, www.blabla.com/about.me.cgi?person=Brian
HYPERLINK "http://www.blabla.com/about.me.cgi?persin=Brian&sport=Basketball"
HYPERLINK "http://www.blabla.com/about.me.cgi?persin=Brian HYPERLINK
"http://www.blabla.com/about.me.cgi?persin=Brian&sport=Basketball"& HYPERLINK
"http://www.blabla.com/about.me.cgi?persin=Brian&sport=Basketball"sport=Basketball"
HYPERLINK "http://www.blabla.com/about.me.cgi?persin=Brian&sport=Basketball"&
HYPERLINK "http://www.blabla.com/about.me.cgi?persin=Brian&sport=Basketball"
HYPERLINK "http://www.blabla.com/about.me.cgi?persin=Brian HYPERLINK
"http://www.blabla.com/about.me.cgi?persin=Brian&sport=Basketball"& HYPERLINK
"http://www.blabla.com/about.me.cgi?persin=Brian&sport=Basketball"sport=Basketball"
HYPERLINK "http://www.blabla.com/about.me.cgi?
persin=Brian&sport=Basketball"sport=Basketball This is only useful when data is sent
via Get method. We have to use another syntax when we are sending via Post method.
When you use Use strict; at the beginning your script, the variable scope concept is
enforced which means variables inside a routine (aka function) are local which means
only visible in that variable. If you dont put Use strict; , this wont be enforced and all
variables will be global.
Only open directories for certain virtual hosts in the virtual host containers.
For parseing codes using POST:
sub praseform
{
read STDIN, $qstring, $ENV {CONTENT_LENGTH}
sub verifyform
{ $missing = 0
foreach (keys %form)
{ if ($form{$_} eq
if the user is using GET method, it means first time viewing website.
If theyre using POST, it means theyve filled out the form.
So, do an if statement to check the type of their method. if its get, show form, if its POST,
process it.
Tained mode prevents external sources of information from executing system calls. To
untaint variables you need to basically take a few steps:
Recreate the tainted variables in your script by first checking them against
regular expressions and if you get a match, make a new variable to contain the
output. Then, call our that new variable that has now been verified against a
regular expression throughout the rest of your script. The system will now trust
this variable because it was built internally.
Make sure you put the absolute path (full location) of your system commands.
For example, instead of having the line `mail -s "message" $email <
message.txt`; , you would put `/usr/bin/mail -s "message" $email <
message.txt`;
Make sure you clear the PATH environment variable by doing the following
command, $ENV{PATH}="";
The crypt function encrypts password. When doing authentication, we have to encrypt
the user input for password and validate it against an encrypted entry in the SQL
database. That means that all passwords in the SQL database have to be encrypted and
not visible to the people who see your database. Youre basically going to be comparing
an encrypted password against another encrypted password.
A cookie is a piece of text that identifies certain pieces of information. For example the
domain the cookie is for (eg. senecac.on.ca). A path (eg: /) A UID (eg: 647). expire date
(___). If no expire date is supplied, the cookie will expire when browser is closed.
Cookies allow us to make the HTTP protocol remember who we are because HTTP is a
transactional protocol, meaning each request and response is different and does not
remember anything from the past requests. Cookies will make it remember. When a
server sends you a cookie, it is only used when you send it a request. Every subsequent
request will contain the cookies for that domain.
For asymmetrical encryption, you cannot encrypt and decrypt using the same key, you
have to have the other pair.
Asymmetrical encryption is slower and more resource intensive.
Steps for server
First step: generate a pair of keys (We will use OpenSSL to do this)
Second step: Create a CSR document (Certified Signing Request)
CSR document will contain the public key, the domain, name of the administrator and
contact information of the server.
Third step: Submit the CSR to a certificate authority (CA). CAs are businesses that
make their money validating keys. They will try to validate the authenticity of companies
and their keys.
Fourth Step: CA validates into Signs Certificate.
Fifth Step: Admin installs certificate
So now on our server, we have our private key and a certificate which contains our
public key
Steps for client:
Step 1: Client requests SQL connection. We do this by requesting an HTTPS
connection.
Step 2: Server sends its certificate to the client. This certificate contains servers public
key.
Step 3: The client generates a one-time symmetric session key and encrypts it using the
servers public key. Then that encrypted symmetric session key is sent to server.
So were using both symmetrical and asymmetrical encryptions but we use assymetrical
to encrypt that symmetrical key.
Exam:
Multiple Choice (12 Questions)
SSL/Encryption
- Taint Mode/Tained Variables
-Cookies
HTTP Protocol
HTTP+Apache Config (17 Marks)
CGI scripting /using Perl (13) - Gives us a script and asks about this script
CGI Script Debugging - A script containing 8 errors. We would have to identify those
errors. Could be logic errors or simple errors like missing a semi colon.