[Top][All Lists]

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Passing values

From: Przemek Klosowski
Subject: Re: Passing values
Date: Mon, 13 May 2002 09:33:18 -0500

passing parameters on the command line is fine, but you have to make a judgement
about how secure you want it to be. The problem is that if you pass arguments 
from a CGI script to the octave script, you open yourself up to the possibility
of someone passing a handcrafted commandline argument that will be executed
at a privilege level of your web server. I.e., normally your octave script will
be called, like Mike said, "squared 7"; however, if someone inputs, instead
of plain '7', the following string: '7; rm -rf /', the CGI will execute
the following call:

        system('squared 7; rm -rf /')

which will remove all web-server-accessible files on your system.

If that is a concern, one way to protect against the attack is to use
the fork/exec calls instead of system.

Octave is freely available under the terms of the GNU GPL.

Octave's home on the web:
How to fund new projects:
Subscription information:

reply via email to

[Prev in Thread] Current Thread [Next in Thread]