[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]
Re: Passing values
From: |
Przemek Klosowski |
Subject: |
Re: Passing values |
Date: |
Mon, 13 May 2002 09:33:18 -0500 |
passing parameters on the command line is fine, but you have to make a judgement
about how secure you want it to be. The problem is that if you pass arguments
from a CGI script to the octave script, you open yourself up to the possibility
of someone passing a handcrafted commandline argument that will be executed
at a privilege level of your web server. I.e., normally your octave script will
be called, like Mike said, "squared 7"; however, if someone inputs, instead
of plain '7', the following string: '7; rm -rf /', the CGI will execute
the following call:
system('squared 7; rm -rf /')
which will remove all web-server-accessible files on your system.
If that is a concern, one way to protect against the attack is to use
the fork/exec calls instead of system.
-------------------------------------------------------------
Octave is freely available under the terms of the GNU GPL.
Octave's home on the web: http://www.octave.org
How to fund new projects: http://www.octave.org/funding.html
Subscription information: http://www.octave.org/archive.html
-------------------------------------------------------------