command line from web
Adam Clarke
Adam.Clarke at StrategicData.com.au
Sat Nov 16 21:21:05 CST 2002
First, since you may be on a learning curve a couple of hints based on
the fact that running system commands can get you into strife security wise.
1. Run your script with warnings on and in taint mode (#!perl -wT)
2. Have a look at the following
http://www.w3.org/Security/Faq/index.html &
http://www.oreilly.com/catalog/cgi2/chapter/ch08.html
Now as for what's going wrong.
1. When you say produces nothing do you mean that the file "hello" does
not get created or that no output is created. I ask because you are
using backticks and therefore running the system command "touch" with
"hello" as it's argument. When I run
perl -e 'print `touch hello`';
I don't get any visible output to STDOUT either, I do however got an
empty file called "hello" created. Maybe your script is working. You
remember that the current working directory of the web server (when it
runs your script) is where "hello" would get created. If your executing
from /cgi-bin/ then that's where the simple example you gave is going to
put it.
2. If the you've thought of the above and/or that's not it then check
your webserver logs. Maybe there is a clue there.
Cheers
Adam Clarke **
Michael Lindner wrote:
>hi,
>why is it that:: print `touch hello`;
>produce nothing when run in a browser initiated script?
>is this a security feature, or what am i doing wrong :-)
>(running on linux rh7.2)
>
>
>
More information about the Melbourne-pm
mailing list