Running Batch files from NS...
Alejandro Garza Gonzalez
agarza at ci.mty.itesm.mx
Thu Jul 3 10:56:01 EDT 1997
On Wed, 2 Jul 1997, Peter Murray wrote:
> This strikes me as kind of dangerous. What would prevent a patron from
> hitting a file that contains the commands:
>
> delete c:\autoexec.bat
> delete c:\command.com
>
> and really ruining your day?
That could happen, but since we have kiosk mode enabled, they can't enter a
new location in the browser; the Open menu is invisible, and while they can
still use CTRL-O to open a file, Flute closes any 'Open' or 'Location'
windows...
The more secure way is to configure your webserver to respond to the
application/x-msdos-batch (or whatever) MIME type instead of the .BAT
extension, that way the user can only execute BAT files in Netscape which
have been sent from the server; remove the 'bat,BAT' extensions in the
General Options/Helpers tab in NS, and configure the server MIME types.
Now, all the BAT files must reside on the server; you can't launch BATs
from the local disk (although BATs from the server can still execute
programs on the local disk, CD, Network drive etc).
I'm not sure if you can disable execution of local BAT files in IE, though.
I'm sorry as I overlooked this 'hole' in my first message.
_ alejandro garza _________________ __ _ _ _ _
ITESM Centro de Informacion-Biblioteca Monterrey
agarza at campus.mty.itesm.mx
_ http://www-cib.mty.itesm.mx/ ____ __ _ _ _ _
> --On Mon, Jun 30, 1997 8:11 AM -0700 "Alejandro Garza Gonzalez"
> <agarza at ci.mty.itesm.mx> wrote:
>
> > If you want something simple you can install in your Win95 machines, make
>
> > a .BAT file somewhere in you hard drive, say C:\launch.bat::
> >
> > @echo off
> > call %1
> > exit
> >
> > Then, if you have Netscape, make up a new MIME-Type in the Helper
> > Application list:: (IE runs BAT files automatically)
> >
> > MIME Type: application
> > subtype: x-msdos-batch
> >
> > The 'extensions' input field should read:
> >
> > bat,BAT
> >
> > select 'launch application' and make it read 'c:\launch.bat'.
> >
> > Now, put commands you want to run locally in your machine when a user
> > clicks on a link on a BAT file... say 'notepad.bat' reads:
> >
> > c:\windows\notepad.exe
> >
> > so when the user clicks on a hyperlink that goes
> >
> > <a href="notepad.bat">Execute notepad</a>
> >
> > the server will feed the BAT file to the browser, thus launching
> > 'LAUNCH.BAT', which will, in turn, launch NOTEPAD.BAT which runs the
> > notepad...
> >
> > Remember, you can also make the BAT files reside on the local disk, or a
> > Netware disc, or CD-ROM, etc, by specifying exactly where the BAT files
> > are in the anchor::
> >
> > <a href="file:///C|/Program Files/Intranet Menu/notepad.bat">launch
> > notepad</a>
> >
> > would get the Batch file 'notepad.bat' from the local C drive,
> > subdirectory "Progam Files/Intranet Menu"... C could be 'D', 'F' or 'J',
> > which could point to a Netware Volume, CD-ROM drive etc...
> >
> > This may be a bit convoluted, but it works and it's free =) Not much
> > security, though, but we manage by limiting the feeding of BATs from our
> > servers to only computers with certain IP addresses; outside petitions
> > never see those links, so they won't get error messages.
> >
> > BTW, if you want to run Win3.1 programs from within a DOS shell, you
> > should get WinStart-- ask me for details.
> >
> > _ alejandro garza _________________ __ _ _ _ _
> > ITESM Centro de Informacion-Biblioteca Monterrey
> > agarza at campus.mty.itesm.mx
> > _ http://www-cib.mty.itesm.mx/ ____ __ _ _ _ _
>
>
>
> --
> Peter Murray, Library Systems Manager pem at po.cwru.edu
> Digital Media Services http://www.cwru.edu/home/pem.html
> Case Western Reserve University, Cleveland, Ohio W:216-368-5888
>
>
>
More information about the Web4lib
mailing list