Question

Is it possible to make the following SSIs work on a topic page or header/footer?

<div align="center"><h4><!--#exec cgi="/cgi-bin/counter.pl"--></h4></div>

<div align="right">Current Time: <!--#echo var="DATE_LOCAL"--></div>

<div align="right">Modified: <u><!--#echo var="LAST_MODIFIED"--></u></div>

These tags work on static pages on the same virtual site. I set the Include parameter to "raw" to no avail. I am using the XBitHack setting in Apache2 to parse static pages. XBitHack requires that the executable bit be set in order for Apache to parse the html file for SSIs. Is it possible to have Apache parse for SSIs in a TWiki topic page? It boogles my mind to adjust to dynamic technology. I suppose the that the "last modified" tag does not make sense? The page never really exists on the server, thus, it can't be modified?

I have years of data based on this counter. I am in the process of converting a large static site to TWiki technology. It is, however, important that I preserve the counter data. If I must lose the SSI calls, is there a way that I can use the web statistics feature of TWiki to generate counter data displayed on a topic page?

Further, I would like to run a highly modified wwwboard (Matt's script archive) from within a TWiki topic page using Include and having TWiki topic security. Is there any reason that, a priori, this will not work? Thank-you. Loren

Environment

-- LorenEvey - 11 Jul 2006

Answer

If you answer a question - or someone answered one of your questions - please remember to edit the page and set the status to answered. The status selector is below the edit box.

I haven't tried this myself, but it appears that doing a

SetOutputFilter INCLUDES

in your http config file might work to enable SSIs. An example of this sort of thing is at: http://www.perl.com/pub/a/2003/04/17/filters.html

-- ClaussStrauch - 11 Jul 2006

One other thing: there are some security issues with enabling SSIs in a wiki. For example, enabling execs will likely cause a system compromise.

-- ClaussStrauch - 11 Jul 2006

Enabling SSI from TWiki topics means that anyone can out any other kind of SSI in topics.

Then it is only the fantasy that limits what kind of other instructions you can run by adding funny scripting.

In a normal static web site it is YOU and only YOU that can edit the pages on the server. When you work with any kind of interactions with users that end up being visible and run by Apache then you give away control. So be very very careful. There has been several attacks on TWiki sites with unsafe Apache configurations.

The general advice is - allow NOTHING inside the TWiki tree.

If you need to count pages do it in a safe way by including something outside the TWIki tree and if this "something" external takes parameters in the URL and remember that the parameters can be evil and contain ";cat ../htpasswd" and or even more advanced buffer overflow parameters. Never execute anything that contains information from the URL or from POST variables.

I can recommend the tool AWStats for making statistics also on TWiki sites. http://awstats.sourceforge.net/

With this you can see how many viewed or edited any of the pages on your TWiki and without adding links on each page. It does it all from the Apache logs.

-- KennethLavrsen - 13 Jul 2006

As Kenneth pointer out, it would be very dangerous to allow SSIs in a TWiki page.

You can encapsulate the call safely in a TWiki Plugin. For example:

• Call your Plugin CustomPlugin
• In the intialization routine register a 'CUSTOM' variable handler
• In your custom handler, expand the %CUSTOM{}% variable based on the parameters
• In the header/footer, add a %CUSTOM{"count"}% variable; in the custom handler test for the "count" parameter, and call your /cgi-bin/counter.pl script.

-- PeterThoeny - 15 Jul 2006