At 2:07 pm 18/4/96, A.Sloman@cs.bham.ac.uk wrote:
>I believe that the issue has been addressed in the environment in which
>the students are working.
I would still point students towards the FAQ. The usual way of dealing with
"normal" people running CGI scripts is to have them run with the authors
user ID. While this restricts the damange a bad CGI can inflict, it doesn't
prevent a badly implemented CGI program damaging the user, installing a
trojan, etc.
Two other useful sites on CGI security are:
http://www.cerf.net/~paulp/cgi-security/safe-cgi.txt
http://www.thinkage.on.ca/~mlvanbie/cgisec/
I might be completely wrong here (you may be running a private HTTP server
without world access). However, any tutorial on writing CGI scripts should
hammer the security issues in with a very large mallet :-)
>I presume that in any case one can just run netscape as a general
>purpose interface with an html file on one's own machine, as input.
Nope. Running a CGI script involves an HTTP server.
Adrian (adrianh@oneworld.co.uk)
|