bug-gawk
[Top][All Lists]
Advanced
[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [bug-gawk] Question regarding security of gawk CGI scripts

From: Robert Figura
Subject: Re: [bug-gawk] Question regarding security of gawk CGI scripts
Date: Wed, 26 Nov 2014 14:15:18 +0100 
On Thu, 20 Nov 2014 14:27:34 -0500
Assaf Gordon <address@hidden>
wrote:

> A AWK CGI script, named "/home/gordon/awktest/1.cgi" :
> ===
> #!/usr/bin/gawk -f
>                                                                               
>  
> BEGIN {
[...]

I couldn't find 2.cgi, i guess it's the same as 1.cgi:

> Apache will give the CGI parameters to AWK, so you can indirectly set AWK 
> variables:
> 
>      $ curl 'http://localhost/awktest/2.cgi?-vFS%3Dfoo'

> The above is equivalent to:
> 
>      awk -vFS=foo /home/gordon/awktest/2.cgi

And here's the bit i'm surprised about: It will pass cgi variables as
commandline arguments??

I couldn't find that in the cgi draft. Probably it's just me, again,
not getting a security problem. Please be kind %-]

On the other hand, if any of the environment variables the server sets
coincides with one gawk interpretes, that might be a problem...

Kind Regards
  - Robert Figura

-- 
no signature this time.
reply via email to
[Prev in Thread] Current Thread [Next in Thread]