Re: Re: HTTP/CGI Backup interface w/Perl

Yup. Don't do anything silly like system("tar cvf - $my_user_input_from_a_form");, unless you want to hand out tar files of your server's passwords, though.

andramoiennepemousapolutropon

Comment on Re: Re: HTTP/CGI Backup interface w/Perl Download Code

Replies are listed 'Best First'.
Re: Re: Re: HTTP/CGI Backup interface w/Perl by sauoq (Abbot) on Jun 10, 2003 at 00:36 UTC
This is very good advice and I was remiss in not noting such myself. That said, you should also know that, if you did so, you might risk a whole lot worse than the loss of your password file. It would permit a user to run any arbitrary command on your system with privileges the same as those that the cgi script runs with. Know the risks, understand the issues, and use the `-T` option to help you catch dangerous code. -sauoq "My two cents aren't worth a dime.";	[reply]

Replies are listed 'Best First'.

Re: Re: Re: HTTP/CGI Backup interface w/Perl
by sauoq (Abbot) on Jun 10, 2003 at 00:36 UTC

This is very good advice and I was remiss in not noting such myself. That said, you should also know that, if you did so, you might risk a whole lot worse than the loss of your password file. It would permit a user to run any arbitrary command on your system with privileges the same as those that the cgi script runs with.

Know the risks, understand the issues, and use the -T option to help you catch dangerous code.

-sauoq
"My two cents aren't worth a dime.";

[reply]