[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: [bug-gawk] Question regarding security of gawk CGI scripts
From: |
Robert Figura |
Subject: |
Re: [bug-gawk] Question regarding security of gawk CGI scripts |
Date: |
Wed, 26 Nov 2014 14:15:18 +0100 |
On Thu, 20 Nov 2014 14:27:34 -0500
Assaf Gordon <address@hidden>
wrote:
> A AWK CGI script, named "/home/gordon/awktest/1.cgi" :
> ===
> #!/usr/bin/gawk -f
>
>
> BEGIN {
[...]
I couldn't find 2.cgi, i guess it's the same as 1.cgi:
> Apache will give the CGI parameters to AWK, so you can indirectly set AWK
> variables:
>
> $ curl 'http://localhost/awktest/2.cgi?-vFS%3Dfoo'
> The above is equivalent to:
>
> awk -vFS=foo /home/gordon/awktest/2.cgi
And here's the bit i'm surprised about: It will pass cgi variables as
commandline arguments??
I couldn't find that in the cgi draft. Probably it's just me, again,
not getting a security problem. Please be kind %-]
On the other hand, if any of the environment variables the server sets
coincides with one gawk interpretes, that might be a problem...
Kind Regards
- Robert Figura
--
no signature this time.