[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: opinion on shell cgi scripts
- To: misc_(_at_)_openbsd_(_dot_)_org
- Subject: Re: opinion on shell cgi scripts
- From: Greg Wooledge <greg_(_at_)_wooledge_(_dot_)_org>
- Date: Sat, 30 Oct 2004 08:21:43 -0400
- Mail-followup-to: misc_(_at_)_openbsd_(_dot_)_org
Dimitri Georganas (dg_(_at_)_mitc_(_dot_)_net) wrote:
> What's the general opinion on using shell scripts as cgi scripts from
> a security viewpoint? What are the risks invoved? Is it a no-go, or
> is safety ok when certain criteria are met?
It's fine as long as you treat any browser-supplied parameters as
toxic waste. Double-quote all your variable references, sanitize
your inputs (e.g. by stripping out all non-alphanumeric characters),
and so on.
Greg Wooledge | "Truth belongs to everybody."
greg_(_at_)_wooledge_(_dot_)_org | - The Red Hot Chili Peppers