[an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive] (none) [an error occurred while processing this directive] [an error occurred while processing this directive] [an error occurred while processing this directive][an error occurred while processing this directive]
 
[an error occurred while processing this directive] [an error occurred while processing this directive]
Skåne Sjælland Linux User Group - http://www.sslug.dk Home   Subscribe   Mail Archive   Forum   Calendar   Search
MhonArc Date: [Date Prev] [Date Index] [Date Next]   Thread: [Date Prev] [Thread Index] [Date Next]   MhonArc
 

Re: [PROGRAMMERING] Sikkerhedsvurdering af et shell-CGI-script



On Sat, 7 Aug 2004, Peter Eriksen wrote:

> http://www.sslug.dk/emailarkiv/sikkerhed/2000_07/msg00065.html
> "...  - hvis du er web-adm m.v. og har trang til at sysle med
> cgi-scripts i shell - så la'vær.  ..."

Problemet er specielt med input-validering.

> Idéen i programmet ses af det følgende lille shell-program:
> 
> #! /bin/sh
> VALG=${QUERY_STRING//&/ }
> VALG=${VALG//valgt=/ }
> for I in $VALG; do
>     case $I in

Det der sker her, er at brugeren kan skrive hvad som helst. Bedst var 
om valgmuligheder var et nummer i et array, og så skal du blot checke 
om det nummer findes i samme array.

Personligt vil jeg kun bruge shell-cgi til ting hvor der ikke er input 
fra brugeren. "cat /proc/cpuinfo", "psql -H <x.sql"  og sådan noget.

/hans
-- 
Hamletsgade 4 - 201, DK-2200 København N, Phone: +45 3582 9079
Schou Industries ApS      http://schou.dk/    CVR: 26 13 44 39
--------------------------------------------------------------
Hint of the day, http://www.w3.org/QA/Tips/iso-date
"Use international date format"


 
Home   Subscribe   Mail Archive   Index   Calendar   Search

 
 
Questions about the web-pages to <www_admin>. Last modified 2005-08-10, 22:44 CEST [an error occurred while processing this directive]
This page is maintained by [an error occurred while processing this directive]MHonArc [an error occurred while processing this directive] # [an error occurred while processing this directive] *