[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: opinion on shell cgi scripts

To: misc@openbsd.org
Subject: Re: opinion on shell cgi scripts
From: Gaby Vanhegan <gaby@vanhegan.net>
Date: Mon, 01 Nov 2004 11:11:18 +0000
References: <41801A79.90008@mitc.net> <20041030122143.GH508@wooledge.org>
User-Agent: Mozilla Thunderbird 0.8 (Windows/20040913)

Greg Wooledge wrote:

>>What's the general opinion on using shell scripts as cgi scripts from
>>a security viewpoint? What are the risks invoved? Is it a no-go, or
>>is safety ok when certain criteria are met?
> 
> It's fine as long as you treat any browser-supplied parameters as
> toxic waste.  Double-quote all your variable references, sanitize
> your inputs (e.g. by stripping out all non-alphanumeric characters),
> and so on.

The reason PHP and CGI are better suited to the task is because they do 
a lot of this for you, and also provide handy tools to do it as well.

Out of interest, what's wrong with using something like:

system( "my.script.sh" );

In some Perl CGI or PHP?  Unless you give the script SUID permissions, 
it's never going to be able to run as anything other than the apache user.

Gaby

-- 
Ha! Ha! Ha!  Dislocation...
- Phil Ken Sebben

gaby@vanhegan.net
http://vanhegan.net

Follow-Ups:
- Re: opinion on shell cgi scripts
  - From: Wijnand Wiersma <wwiersma@gmail.com>

Prev by Date: 아직도 비싼이율로 돌려막기 하시나요?
Next by Date: 연체대금 6000만원까지 깔끔하세 36개월분할상환
Prev by thread: 아직도 비싼이율로 돌려막기 하시나요?
Next by thread: Re: opinion on shell cgi scripts
Index(es):
- Date
- Thread