1 Environment Variables
#!/usr/local/bin/perl -w
use CGI qw(:standard);
print header();
print "<html><head><title> Environment Variables
</title></head><body>";
print "<h3>Environment variables script</h3>";
print "<p> Here are the environment variables that this CGI
script has been called with<p><hr>";
print "
<pre>
SERVER_SOFTWARE = $ENV{'SERVER_SOFTWARE'}
SERVER_NAME = $ENV{'SERVER_NAME'}
GATEWAY_INTERFACE = $ENV{'GATEWAY_INTERFACE'}
SERVER_PROTOCOL = $ENV{'SERVER_PROTOCOL'}
SERVER_PORT = $ENV{'SERVER_PORT'}
REQUEST_METHOD = $ENV{'REQUEST_METHOD'}
HTTP_ACCEPT = '$ENV{'HTTP_ACCEPT'}'
PATH_INFO = $ENV{'PATH_INFO'}
PATH_TRANSLATED = $ENV{'PATH_TRANSLATED'}
SCRIPT_NAME = $ENV{'SCRIPT_NAME'}
QUERY_STRING = $ENV{'QUERY_STRING'}
REMOTE_HOST = $ENV{'REMOTE_HOST'}
REMOTE_ADDR = $ENV{'REMOTE_ADDR'}
REMOTE_USER = $ENV{'REMOTE_USER'}
CONTENT_TYPE = $ENV{'CONTENT_TYPE'}
CONTENT_LENGTH = $ENV{'CONTENT_LENGTH'}
DOCUMENT_ROOT= $ENV{'DOCUMENT_ROOT'}
HTTP_USER_AGENT =$ENV{'HTTP_USER_AGENT'}
HTTP_REFERER =$ENV{'HTTP_REFERER'}
</pre>";
print "<hr></body></html>";
1.1 Exercises
1) You can also print all environment variables using the following
code (try it).
foreach $elem (keys %ENV) {
print "$elem $ENV{$elem}<br>";
}
2) Use one of the CGI scripts that you have created earlier in this
semester. Include a print statement in the CGI script that
prints the environment variables REQUEST_METHOD, QUERY_STRING
and CONTENT_LENGTH. Note: that some of these are only available if the
method for sending the form is "get", others are only available if the
method is "post". (Check the
<form action=... method=... > tag in your form.)
REQUEST_METHOD and CONTENT_LENGTH can be used to
increase the security of your script. CONTENT_LENGTH
should not be longer than a predefined maximum length.
2 Customize Pages with CGI
CGI can show different pages to different users depending on user preferences.
2.1 Exercises
3) Ask a user to input their name into a textfield and
to choose a color from a popup menu. Then display a page with
a short message (e.g. "Thank you $name for your request") in that color.
3 Security on CGI Pages
There are several security problems and error sources for CGI scripts
such as the one above.
Here are some security tips:
-
If the script prints user input or html code that is retrieved from the
web apply
$text =~ s/</</g;
$text =~ s/>/>/g;
to the text before printing it.
- For input from radio buttons, menu selections, check boxes, check
all possible values with an if statement. In case of unexpected
values, print an error message and discontinue with the script.
- Don't ask the user for a filename and then write to that file.
- Files that are written to should not be in a directory
that allows server-side includes, active server pages, PHP
pages, or other HTML template systems.
- Don't install CGI code from untrusted sources on your server.
- If you use sendmail to email back to a user, apply
unless ($email =~ /^[\w\.+-]+\@[\w\.+-]+$/) {
die 'Address not in form foo@nowhere.com';
}
to the address and use "sendmail -t -oi"
- Never allow user input into a system() or exec() call
or into an expressions with backticks (`).
- When using open() and calling a program,
always check user input into this statement.
- If your script writes to a file, lock the file so that two
scripts cannot write to it at the same time.
- If you use Perl -T and system calls (or sendmail), you may need
to include
$ENV{'PATH'} = '/bin:/usr/bin:/usr/local/bin'; at the beginning
of your script and variables may need to be untainted using a pattern
match.
- Be careful with PATH_INFO. Validate its contents.
- Check the REQUEST_METHOD variable to verify that the data
was send by POST (or GET or ...)
- Check the CONTENT-LENGTH variable to restrict amount of
input text.
More information is available for security of
CGI scripts,
Perl/CGI and general WWW security
3.1 Exercises
4) In the previous script check whether the input is
reasonable and not empty:
- check whether the name and color contain only word characters
or -.
- check that neither name nor color is longer than 100 chars (use the
{100,} multiplier).
If the criteria are not fulfilled, do not
display the results page but instead show an error message.
5) For the $name variable replace HTML characters "<" and ">"
with < and > before printing the name.