Re: Secure popen

From: Richard Mirch (mirchrat_private)
Date: Tue Jun 19 2001 - 15:16:30 PDT

  • Next message: Peter Jeremy: "Re: Secure popen"

    Is there any specific reason why you are writing a simple CGI in c++? If
    it is for learning, then I can see the point but this can easily be done
    securely and efficiently in PERL or perhaps PHP(never had a chance to do
    this). With very few lines of actual code, PERL can sanitize your input.
    IMHO - I would use PERL because its very easy to parse and strip out
    strings quickly. Also, maintaining the code will be somewhat of a pain
    using a compiled language. I dont know a safe alternative using c/c++
    other then enforcing your input against an allowed character set. My safe
    and quick alternative is to use PERL but that might not be an option for
    you. Of course, whatever you use, you need to validate your input - just a
    matter of how much time you want to take up.
    
    -Rich
    
    On Tue, 19 Jun 2001, Aaron Bentley wrote:
    
    > I'm writing a CGI program in C++ that sends email.  I'm using Sendmail
    > for the transmission, so I need a command that lets me specify stdin for
    > Sendmail.
    > I understand popen() is not very secure, because it uses the shell to
    > execute the command, but I don't know of a safe alternative.  I can
    > sanitize my input, but is escaping all non-alphanumeric characters the
    > right answer?
    > 
    > The program is not privileged, but I don't want people to be able to
    > gain privileges as 'nobody' on the web server.
    > 
    > Any suggestions for this ?
    > 
    > Aaron
    > 
    > --
    > Aaron Bentley
    > Manager of Information Technology
    > PanoMetrics, Inc.
    > 
    > 
    > 
    



    This archive was generated by hypermail 2b30 : Tue Jun 19 2001 - 20:32:21 PDT