[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Sikkerhedsvurdering af et shell-CGI-script



Kære postliste,

Jeg har et spørgsmål angående sikkerheden i et CGI-program, jeg har
lavet.  Jeg har kigget i

http://www.linuxbog.dk/web/bog/dynweb.html#CGI-scripts

og

http://www.sslug.dk/emailarkiv/sikkerhed/2000_07/msg00065.html
"...  - hvis du er web-adm m.v. og har trang til at sysle med
cgi-scripts i shell - så la'vær.  ..."

og

http://webserver.cpg.com/features/cover/2.6/
" ... 20. Have your code reviewed by another competent programmer (or
two, or more). ..."

og har ikke kunne finde et tilfredsstillende svar.


Idéen i programmet ses af det følgende lille shell-program:

#! /bin/sh
VALG=${QUERY_STRING//&/ }
VALG=${VALG//valgt=/ }
for I in $VALG; do
    case $I in
        Computerworld) skriv_liste computerworld.sh;;
        Glek) skriv_liste glek.sh;;
        *) echo "<p> Ugyldigt modul, $I, forsøgt </p>" ;;
    esac
done

Det er et forøg på at implementere en tabel, hvor hvert argument fra
form-get-metoden slås op i rækkefølge, og hvis det findes i tabellen,
udføres et program, der så ikke får nogen argumenter.  Hvis argumentet
ikke findes i tabellen udskrives en fejlmeddelse.

Mit spørgsmål er så, om denne tabelopslagskonstruktion har nogen
svagheder; er $VALG og $QUERY_STRING harmløse uanset, hvad de
indeholder?

Med venlig hilsen,

Peter Eriksen


 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 22:44 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *