Re: CGI scripts in sh

[-jf- <fergusoj () QUIK COM>]

the way i understand it ( and anyone can add to it, or correct my mistakes )
is
a: i think security is a languange independant thing, and its more how its
coded, then what language you used, to a degree of course ( e.g. not all
languages have functions that dont do bounds checking, but then those that do,
you can expliciting add them or use functions that automatically add them. )
b: i think the idea behind shell scripts being insecure is the ability to
escape from them and give them output of the likes not intended...it is a shell
afterall
c: i believe a shell script owned by a normal user ( normal meaning a user that
isnt a superuser or even has access to things such as your webserver...) is
fairley safe, as safe as giving a user account to whoever is running it ( i
would never use a shell script for cgi ( or any other type of remote
application ) regardless of who owns it  )
d: things like restricted shell and traps make things alot harder, along with
like set -e where the script exits upon error..harder that is for a potential
attacker...but never the less i would never dump any amount of security into
any shell script ( on a side note im very weary of perl and such also its not
just a shell scripting thing )

in conclusion,  i think if used properly shell scripts can be somewhat secure,
although like i pointed out it is essentialy a shell spitting out canned
commands..i myself havent written to much in shell scripts, but have been
playing with them lately...and have not really played with the security idea's
behind them also...I do know certain ( if not all ) linux distros ( I dont know
if its a distro thing or a kernel thing which would make it distro independant
) wont allow suid root shell scripts for obvious reasons.
i hope this expalined things a tad bit, i doubt they did as i hardly understand
it myself...just think of the consequences quotes slashs and other character
could have on certain functions/command/variables.
the point is nothing is flawless, regardless of language

-jf-

Crypteria wrote:

> I got a question concerning CGI scripts, i've been told that sh scripts are
> way
> more insecure than perl or c/c++ scripts. I find great to use the power of
> shell
> scripting and the ability to use commands in scripts and I just wondered why
> they could be more insecure ? After all, a good shell scripts can be
> flawless
> just as a bad perl script can be dangerous...