httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Nathan Neulinger <nn...@umr.edu>
Subject Re: mod_cgissi
Date Sun, 03 Nov 1996 23:13:54 GMT
>> Other than the that the very idea makes me cringe...  Anyone is going to
>> have to excape almost 100% of their output... With that, you couldn't even
>> print out what the user typed in without checking it for characters that
>> would need to be protected.
>>
>> I would hate to think that the apache group would ever distribute such a
>> module.
>
>Hmm, I'm not sure I follow you.  What I'd like to do is simply allow something
>like (as a base case example)
>
>  #!/usr/local/bin/perl
>  print "Content-type: text/html\r\n\r\n";
>  print <<EOM;
>    <!--#include virtual="/header.html" -->
>  EOM
>
>What needs to be escaped or protected?

Well, that's fine, if that's all you ever did... But suppose you had:

#!/usr/local/bin/perl
print "Content-type: text/html\r\n\r\n";
.......
print "You entered: ", $field_data{"input"}, "\n";
print <<EOM;
  <!--#include virtual="/header.html" -->
EOM

Without ssi that would be fine. With SSI, the user's input could very
simply have been:

	<!--#exec cmd="cat /etc/passwd" -->

At which point, the cgi script would echo that out, and the server would
promptly execute it.

>Not sure what you mean by security hole, either.  If you let users write SSI
>pages, why not let the output of their CGI scripts be parsed by SSI as well?
>What can you "do" with CGI output to be parsed by SSI that you can't do with
>a regular SSI document?

The point is, if a user doesn't WANT to use SSI, they don't have to worry
about it. If you suddenly start parsing pages, anything a remote user sends
to your script not only is unsafe for using in a command line, but it also
becomes unsafe for even printing out to the browser...

And you know as well as I do that very few people (myself included) think
of every security issue when writing scripts. I sure wouldn't want to have
to worry about even something simple like printing out what a user typed in.

Almost every cgi script EVER written would become an instant security hole
if this were enabled.

>> I'm not a voting member, but if I were I'd give even considering this one a
>> big negative vote.
>
>I'm not proposing this to the group, I was just asking for guru-help.

:)

-- Nathan

------------------------------------------------------------
Nathan Neulinger                  Univ. of Missouri - Rolla
EMail: nneul@umr.edu                  Computing Services
WWW: http://www.umr.edu/~nneul      SysAdmin: rollanet.org



Mime
View raw message