Vulnerability Development mailing list archives
Re: CGI scripts in sh
From: Mark Rafn <dagon () DAGON NET>
Date: Thu, 21 Sep 2000 09:30:14 -0700
[not sure this kind of general question is on topic or not, but it's close. If you disagree, Mr. Moderator, feel free to reject this message.] On Thu, 21 Sep 2000, Crypteria wrote:
I got a question concerning CGI scripts, i've been told that sh scripts are way more insecure than perl or c/c++ scripts.
Never accept statements like this at face value - always ask for specifics. In this case, there are some reasons to be extra careful with shell scripting.
I find great to use the power of shell scripting and the ability to use commands in scripts and I just wondered why they could be more insecure ?
Primarily because it's so easy (and necessary) to use external system commands in scripts, and each one is interpreted by the shell before the external program gets it. You introduce any vulnerabity these external commands have into your CGI. It's also tricky to wash user-data to make it safe for use on a command line.
After all, a good shell scripts can be flawless just as a bad perl script can be dangerous...
Absolutely. But it's much harder to write a good shell script than good perl. Specifically, it's a lot easier in Perl to avoid sending user data to dangerous or not-fully-understood external programs. There are three main reasons Perl is better here: 1) more builtins with mostly-understandable semantics. The language itself makes it easy to do a lot of things directly from the code, without the extra step of constructing and parsing a shell command line. C/C++ has this advantage as well, for some tasks. 2) Taint mode. This is HUGE. Perl tells you when you're letting user-supplied data into an unsafe operation. It's not perfect (especially if you just untaint stuff without understanding why you have to), but it's a giant step up. 3) String handling. Perl makes it possible to analyze user input and clean or reject input that has illegal characters or other errors BEFORE sending it to any external program. In a shell, you often can't, or must jump through many quoting hoops. -- Mark Rafn dagon () dagon net <http://www.dagon.net/>
Current thread:
- IP Spoofing with DHCP ? Skreel (Sep 17)
- Re: IP Spoofing with DHCP ? Matthew S. Hallacy (Sep 18)
- Re: IP Spoofing with DHCP ? Alon Oz (Sep 18)
- Re: IP Spoofing with DHCP ? Nathan Einwechter (Sep 19)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Mark Rafn (Sep 21)
- Serv-U FTP deals makes connections with www.cat-soft.com [ KoSaK ] (Sep 22)
- Re: Serv-U FTP deals makes connections with www.cat-soft.com Dimitry Andric (Sep 22)
- CGI scripts in sh Crypteria (Sep 20)
- Re: CGI scripts in sh Crispin Cowan (Sep 21)
- Re: CGI scripts in sh Gordon Messmer (Sep 21)
- Re: CGI scripts in sh Lincoln Yeoh (Sep 22)
- Re: CGI scripts in sh Crispin Cowan (Sep 23)
- Re: CGI scripts in sh -jf- (Sep 22)
- C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 23)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Jonathan James (Sep 24)
- Re: C versus other languages, round 538 or so (Re: CGI scripts in sh) Bluefish (P.Magnusson) (Sep 25)