Warnings about CGI scripts:
- CGI scripts run on the server in the context of the http
daemon (logged in as
www)
- They allow outside users to run commands on our machines; this
has serious security implications
- Be sure your scripts are safe when they execute commands that
include data from the user
- Watch out for shell special characters (
;,
`, {, }, (,
), |, &, <,
>, $, \), and know how your
shell treats these.
- If your script crashes, you may not get any new page (the
browser may never stop looking)
- If a command exits with and error, you will not
get the message (unless you redirect standard error to standard out)
- If your script fails, check the environment variables of the
server (e.g.,
PATH) to make sure it works in that context
- CGI scripts only run for
http: URLs, not
file: URLs (i.e., not from "Open Local")