Re: [bug-gawk] Question regarding security of gawk CGI scripts

[Aharon Robbins]

Hello.

This seems to have gotten lost in my inbox, for which I deeply apologize.

The answer is "I don't know".  I took the word of the person who contributed
the -E feature that it was necessary.

Arnold

> Date: Wed, 11 Jun 2014 13:23:40 -0700
> From: taltman <address@hidden>
> To: address@hidden
> Subject: [bug-gawk] Question regarding security of gawk CGI scripts
>
> I have a question regarding gawk which is not a bug to report. I don't
> know of an email list, newsgroup, etc. that is more appropriate for
> posting such questions, so please forgive me if I am in error.
>
> In the GAWK manual, there's the following discussion of CGI security:
>
> "This option is particularly necessary for World Wide Web CGI
> applications that pass arguments through the URL; using this option
> prevents a malicious (or other) user from passing in options,
> assignments, or awk source code (via --source) to the CGI application."
>
> I am confused about how a remote malicious user would be able to
> manipulate the command line used to execute the gawk CGI program. GET
> method variables are passed via environment variables, and POST method
> variables are passed via STDIN. Is there some other way that
>
> The only scenario that makes sense to me would be: a malicious user on
> the same system which hosts the CGI script tries to invoke the script,
> and passes in extra command-line arguments. Is that what is meant?
>
> I am writing a CGI script using gawk, and I want to make sure that I
> fully understand this security concern, and the associated threat model.
>
> Thanks in advance, and my apologies again if this question is
> inappropriate for this list.
>
> Regards,
>
> ~Tomer Altman