[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: opinion on shell cgi scripts
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: opinion on shell cgi scripts
- From: Ben Goren <ben_(_at_)_trumpetpower_(_dot_)_com>
- Date: Wed, 27 Oct 2004 16:54:06 -0700
On 2004 Oct 27, at 3:00 PM, Dimitri Georganas wrote:
> What's the general opinion on using shell scripts as cgi scripts from
> a security viewpoint? What are the risks invoved? Is it a no-go, or
> is safety ok when certain criteria are met?
First, this has nothing to do with OpenBSD.
Security has much less to do with the language than with the code. You
can write secure and insecure code in any language, be it assembly, C,
Perl, Java, or (,[a-z])sh. Some languages are vulnerable to certain
classes of bad programming that others protect against, but all have
potential points of failure.
I'm not aware of any shell that is particularly well suited to the
kinds of programming typically done in CGI work. However, if you're
especially comfortable writing code for your particular shell and see
no need (such as maintainability by others in the future) to use a
language more traditionally used for CGI, then there's no particular
reason not to go that route.
[demime 0.98d removed an attachment of type application/pgp-signature which had a name of PGP.sig]