[Previous] [Next] [Index]
[Thread]
Re: Problems with CGI-programming
IMHO, you don't need to be _quite_ so paranoid about CGI security. If you
are programming in Perl, it is possible to pass user input to an external
program safely by proper use of exec(). Briefly, this involves using exec()
with a hardcoded program path and piping the output into your script. To
quote from the "perlfunc" exec() section:
"If there is more than one argument in LIST, or if
LIST is an array with more than one value, calls
execvp(3) with the arguments in LIST."
So if your first argument is a hard-coded path, unless the command being
executed supports shell escapes from the command line, you should be safe.
In short, if you hard-code the program path, and don't run programs that
allow shell escapes (arbitrary commands) from the command line, AND pipe the
output to your CGI script, you should be OK.
======================================================================
Mark Leighton Fisher Thomson Consumer Electronics
fisherm@indy.tce.com Indianapolis, IN