CGI Programming on the World Wide WebBy Shishir Gundavaram
1st Edition March 1996
This book is out of print, but it has been made available online through the O'Reilly Open Books Project.
Wouldn't it be great if we could execute either a CGI or a system program and place its output in our HTML document? With the SSI command exec, we can do just that using the exec cmd directive:
Welcome <!--#echo var="REMOTE_USER"-->. Here is some information about you: <PRE> <!--#exec cmd="/usr/ucb/finger $REMOTE_USER@$REMOTE_HOST"--> </PRE>
In this example, we use the UNIX finger command to retrieve some information about the user. SSI allows us to pass command-line arguments to the external programs. If you plan to use environment variables as part of an argument, you have to precede them with a dollar sign. The reason for this is that the server spawns a shell to execute the command, and that's how you would access the environment variables if you were programming in a shell. Here is what the output will look like, assuming REMOTE_USER and REMOTE_HOST are "shishir" and "bu.edu", respectively:
Welcome shishir. Here is some information about you: <PRE> [bu.edu] Trying 126.96.36.199... Login name: shishir In real life: Shishir Gundavaram Directory: /usr3/shishir Shell: /usr/local/bin/tcsh Last login Thu Jun 23 08:18 on ttyq1 from nmrc.bu.edu:0. New mail received Fri Dec 22 01:51:00 1995; unread since Thu Dec 21 17:38:02 1995 Plan: Come on, aren't you done with the book yet? </PRE>
You should enclose the output from an external command in a <PRE>..</PRE> block, so that whitespace is preserved. Also, if there is any HTML code within the data output by the external program, the browser will interpret it!
(To use the exec directive, remember that you need to enable Exec in the Options line of the access.conf file, as described in the "Configuration" seciton earlier in this chapter.)
Having the ability to execute external programs makes things easier, but it also poses a major security risk. Say you have a "guestbook" (a CGI application that allows visitors to leave messages for everyone to see) on a server that has SSI enabled. Most such guestbooks around the Net actually allow visitors to enter HTML code as part of their comments. Now, what happens if a malicious visitor decides to do some damage by entering the following:
<--#exec cmd="/bin/rm -fr /"-->
If the guestbook CGI program was designed carefully, to strip SSI commands from the input, then there is no problem. But, if it was not, there exists the potential for a major headache!
Back to: CGI Programming on the World Wide Web
© 2001, O'Reilly & Associates, Inc.