Re: Problems with CGI-programming

• To: "'www-security'" <www-security@ns2.rutgers.edu>
• Subject: Re: Problems with CGI-programming
• From: Fisher Mark <FisherM@is3.indy.tce.com>
• Date: Fri, 07 Jun 96 11:58:00 PDT

IMHO, you don't need to be _quite_ so paranoid about CGI security.  If you 
are programming in Perl, it is possible to pass user input to an external 
program safely by proper use of exec().  Briefly, this involves using exec() 
with a hardcoded program path and piping the output into your script.  To 
quote from the "perlfunc" exec() section:
     "If there is more than one argument in LIST, or if
     LIST is an array with more than one value, calls
          execvp(3) with the arguments in LIST."
So if your first argument is a hard-coded path, unless the command being 
executed supports shell escapes from the command line, you should be safe.

In short, if you hard-code the program path, and don't run programs that 
allow shell escapes (arbitrary commands) from the command line, AND pipe the 
output to your CGI script, you should be OK.
======================================================================
Mark Leighton Fisher                   Thomson Consumer Electronics
fisherm@indy.tce.com                   Indianapolis, IN

• Previous: Re: Accessing http://-files thu email
• Next: YA Java security bug: Hopwood two-host attack (1 June 96)
• Index(es):
  • Index
  • Thread