SSI Include from another server...

[flo55y]

Hi Folks,

I posted this on the HTML forum and they told me to try here. Any help gratefully received.

I want to be able to include content from a file in a webpage. I'm currently using SSI Include and that is working great when the file to be included is on the server where the web page lives.

However, I have a requirement to include content from a file held on another server. The SSI Include command doesn't appear to support this unless I'm reading it wrong (which I could well be). When I try virtual or file in the include statement, it won't resolve to a file outside of this server.

Does anyone know of a way to do this? It's really driving me up the wall - such a simple thing to want to do.

Many thanks, Graham.

One day we'll look back on this, laugh nervously and change the subject...

 

[smah]

I'll answer your question with another question. If you were sitting at the console of the web server, how would you access the file you want to include? - with a web browser, by browsing files, ftp, nfs, smb ......

Essentially to include that file, the web server will need to access it from wherever it's located.

 

[feherke]

Hi

To get a file from another server, supposing that the other server serves that file through HTTP protocol, you need a HTTP client. SSI is handled by Apache and Apache has no HTTP client functionality.

You have to include that file using a scripting/programming language. For example in PHP :

<?php

include "[URL unfurl="true"]http://example.com/directory/file.ext";[/URL]

?>

So now I send you to the forum appropriate to the language you will use. For example forum434 ( PHP ).

Feherke.

http://rootshell.be/~feherke/

 

[flo55y]

Much appreciated folks.

smah - thanks for focusing my mind for me.

feherke - thanks for the php lead. I'll look into that.

I'll post back to let you know how things go.

Cheers, Graham.

One day we'll look back on this, laugh nervously and change the subject...

 

[flo55y]

Hi Folks,

Everything is working beautifully now. Thank you.

Just to let you know and anyone else that's looking to do this sort of thing how I resolved it.

I made use of Feherke's suggested php code

<?php
include "[URL unfurl="true"]http://example.com/directory/file.ext";[/URL]
?>

and dropped this into my webpage.html code. I then renamed wegpage.html to webpage.php and it worked a treat!

Thanks once again.
Graham.

One day we'll look back on this, laugh nervously and change the subject...

 

[thedaver]

Just to be the voice of security-minded programming..

PHP gets a lot of unfair knocks in the security world because it permits this kind of behavior... arbitrarily including code/files from ANY location accessible by the machine.

In truth this isn't a problem restricted to just PHP, but the security wonks delight in pointing out that a failure to heavily restrict this kind of inclusion, particularly without any safeguards around what you are including, is inherently dangerous.

So, the lesson learned is that you SHOULD take some steps to ensure that the included code is safe. That safety comes in the form of understanding what the included code does, how it could be modified without your approval, how much you trust what that code does, etc.

Remember, the included code you use happily today could easily be modified by the remote administrator to become

<?
$fp = fopen("/etc/shadow", "r");
while (!feof($fp)) {
  print fgets($fp);
}
fclose($fp);
?>

That would clearly be a disappointing change in your included code.

Good luck!

D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[feherke]

Hi

Sorry, thedaver, but what is the point in your post ? This can be done with any server-side programming language. This is the reason of running the servers in [tt]chroot[/tt], but from this point the discussion tends to become off-topic.

But you are right, I assumed the other server is also administrated by Graham. If not, would be better to use [tt]readfile()[/tt] instead of [tt]include()[/tt] :

<?php

readfile("[URL unfurl="true"]http://example.com/directory/file.ext");[/URL]

?>

Feherke.

http://rootshell.be/~feherke/

 

[thedaver]

feherke, you may be right that I was off-topic for the thread, but you also validated my reason for posting. The OP was guided to use include, which allows for changing of variables, path disclosures, and many more etc.'s.

My desired outcome was to add onto this thread the concept that blindly inculding files from "other sources" creates more risks. Including files from "trusted sites" is obviously slightly less dangerous but still maintains its own set of risks. And so on...

More than anything, I get annoyed by the digital security professionals who knock languages as being insecure instead of the particular techniques that particular programmers use (or fail to use.)

This was NOT intended as any sort of flame about the OP or the thread responders... thanks.
D.


D.E.R. Management - IT Project Management Consulting

http://www.dermanagement.com/

 

[feherke]

Hi

Ok, I just was not sure that I got the meaning.

And the off-topic referred to my post, not yours, because I deviated to generic server-side problems.

Thanks for the observation.

Feherke.

http://rootshell.be/~feherke/