http://qs1969.pair.com?node_id=519596


in reply to Calling system function in cgi

A CGI script is not much different from a 'normal' Perl script, except that it's usually called from a web interface from a command line (and it has much more rigid output requirements, and a few other minor details). So it can do whatever you can do in a 'normal' script that you may write to be used on the command line.

That said, do you want someone to be able to spawn test.exe on your web server from a web page? If test.exe takes any significant amount of resources, consider the abuse where someone bounces on the refresh button and spawns a bunch of test.exe's, happily eating away your system's performance. As long as you've thought of this and taken a measure to prevent this kind of abuse, or others that stem from executing a system program from the command line, you should be fine.

Oh, and it was mentioned above, but just to make sure you see it: untaint any data you may pass to any system call.