[Previous] [Next] [Index]
[Thread]
Re: Problems with CGI-programming
In reply to Alexey A. Shelkovich about Problems with
CGI-programming
> Would somebody list problems, wich are connected with CGI
> scripts, the bugs they have, how to make CGI script secure
> using Perl interpretive language.
The problem, as allways, is that when running a CGI script your
server is reacting to some outsider action. It's a fact that the
number of bugs increase with the complexity of a program, so CGI
scripts that do a lot of things, access many files and specially
call other programs are a real danger in any server.
Interpreted languages are only a danger if you have to execute the
interperter and pass the script as a parameter. As perl can accept
a script from stdin if the interperter is in /cgi-bin it's trivial
to make it execute anything that the user want. And if you are
running the server as root, you can kiss your disk goodbye...
The guidelines I use are:
Make a script do only and only one thing. If that thing
must be done as root, then DON'T do it at all.
Don't call any external program, specially any shell.
Take care with things like $D=`/usr/bin/date`, the
backticks call sh.
And never, but never, call any external program with
parameters read from the user or from hidden fields
in your html FORM.
For eg. if you have a form with something that a costumer must
fill up and you want to send the result by mail to someone, don't
call mail ou sendmail from your script, just save the info in a
file in some dir and have a deamon (or a cron started program) to
check that dir from time to time. Even then, don't let this
"post-office" deamon read any mail address from the file.
Just my 2 cents...
--
|Antonio Vasconcelos @ The Lisbon $tock Exchange |
|-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --|
|vasco@bvl.pt, postmaster@bvl.pt, webmaster@bvl.pt |
|http://www.bvl.pt:8080/~vasco [vasco@individual.eunet.pt]|
|-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --|
|TEL: +351-1-790-9904 Bolsa de Valores de Lisboa|
|FAX: +351-1-795-2026 R. Soeiro Pereira Gomes |
|http://www.bvl.pt/ 1600 LISBOA, PORTUGAL |
|-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --|
| All opinions are my own, my employer thinks I'm working |
-- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- -- --
References: