bug-gawk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gawk] Question regarding security of gawk CGI scripts

From: taltman
Subject: Re: [bug-gawk] Question regarding security of gawk CGI scripts
Date: Thu, 20 Nov 2014 09:08:41 -0800
User-agent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10.6; rv:31.0) Gecko/20100101 Thunderbird/31.2.0 
Hello Aharon,

Thank you for your reply. I think I might take a peek at the source
code, and perhaps also pose the question on comp.lang.awk. It would be
nice to know for certain, and update the docs to add clarity and
precision to the wording.

B'Shalom,

~Tomer

On 11/20/14 8:33 AM, Aharon Robbins wrote:
> Hello.
>
> This seems to have gotten lost in my inbox, for which I deeply apologize.
>
> The answer is "I don't know".  I took the word of the person who contributed
> the -E feature that it was necessary.
>
> Arnold
>
>> Date: Wed, 11 Jun 2014 13:23:40 -0700
>> From: taltman <address@hidden>
>> To: address@hidden
>> Subject: [bug-gawk] Question regarding security of gawk CGI scripts
>>
>> I have a question regarding gawk which is not a bug to report. I don't
>> know of an email list, newsgroup, etc. that is more appropriate for
>> posting such questions, so please forgive me if I am in error.
>>
>> In the GAWK manual, there's the following discussion of CGI security:
>>
>> "This option is particularly necessary for World Wide Web CGI
>> applications that pass arguments through the URL; using this option
>> prevents a malicious (or other) user from passing in options,
>> assignments, or awk source code (via --source) to the CGI application."
>>
>> I am confused about how a remote malicious user would be able to
>> manipulate the command line used to execute the gawk CGI program. GET
>> method variables are passed via environment variables, and POST method
>> variables are passed via STDIN. Is there some other way that
>>
>> The only scenario that makes sense to me would be: a malicious user on
>> the same system which hosts the CGI script tries to invoke the script,
>> and passes in extra command-line arguments. Is that what is meant?
>>
>> I am writing a CGI script using gawk, and I want to make sure that I
>> fully understand this security concern, and the associated threat model.
>>
>> Thanks in advance, and my apologies again if this question is
>> inappropriate for this list.
>>
>> Regards,
>>
>> ~Tomer Altman
reply via email to
[Prev in Thread] Current Thread [Next in Thread]