SLAC's CGI Script Security Wrapper

Last Update: November 3rd, 1995
[ SLAC, the Lab | SLAC Home ]

Contents

This page and the Security Wrapper are still in development.

Introduction

In many cases a WWW author may want to provide customized output which is produced by a special script, exec or program. This program may be used for such things as extracting data from a database, doing calculations or possibly to execute some other Unix command. WWW provides this capability through what are called CGI (Compatible Gateway Interface) scripts. A major drawback to providing CGI scripts at SLAC is that scripts at this level do not have any security and could potentially execute undesirable commands or have unexpected results. See an overview on CGI script security risks and Writing More Secure CGI Scripts for more information. Also see SLAC's CGI Security Wrapper Implementation for details on how the wrapper is implemented.

In order to easily provide some minimal level of security for CGI scripts on the SLAC WWW server, we have provided a CGI security Wrapper called, appropriately enough, cgi-wrap. The server invokes the user's CGI script through the Wrapper which is itself a CGI script. The Wrapper provides some simple checking on the input to the user's CGI script. It also makes it trivial to execute "authorized" UNIX commands.

Input

The Wrapper filters the input from the various possible input sources: the CGI environment variables PATH_INFO and QUERY_STRING, standard input and the command line in the following ways:

How the Wrapper Calls the Script/Command

In order to reduce the possibility of the client attacking the server, the Wrapper will only call commands that are included in a Rules file. This file provides a list of correspondences between information in the URL or Form and the actual command to be executed. It also provides information on restrictions to be applied to executing the Script/Command. These restrictions include:

Invoking the Wrapper from Your URL or Form

To invoke your script from a URL: To invoke your Script from a Form, proceed as follows:

What Else do You have to do

Examples of REXX scripts to be called by the Wrapper


Les Cottrell and George Crane
[ Writing REXX CGI Scripts | Feedback ]