Follow Techotopia on Twitter

On-line Guides
All Guides
eBook Store
iOS / Android
Linux for Beginners
Office Productivity
Linux Installation
Linux Security
Linux Utilities
Linux Virtualization
Linux Kernel
System/Network Admin
Programming
Scripting Languages
Development Tools
Web Development
GUI Toolkits/Desktop
Databases
Mail Systems
openSolaris
Eclipse Documentation
Techotopia.com
Virtuatopia.com
Answertopia.com

How To Guides
Virtualization
General System Admin
Linux Security
Linux Filesystems
Web Servers
Graphics & Desktop
PC Hardware
Windows
Problem Solutions
Privacy Policy

  




 

 

Previous Chapter 5
Server Side Includes
Next
 

5.6 Executing External Programs

Wouldn't it be great if we could execute either a CGI or a system program and place its output in our HTML document? With the SSI command exec, we can do just that using the exec cmd directive:

Welcome <!--#echo var="REMOTE_USER"-->. Here is some information about you:
<PRE>
<!--#exec cmd="/usr/ucb/finger $REMOTE_USER@$REMOTE_HOST"-->
</PRE>

In this example, we use the UNIX finger command to retrieve some information about the user. SSI allows us to pass command-line arguments to the external programs. If you plan to use environment variables as part of an argument, you have to precede them with a dollar sign. The reason for this is that the server spawns a shell to execute the command, and that's how you would access the environment variables if you were programming in a shell. Here is what the output will look like, assuming REMOTE_USER and REMOTE_HOST are "shishir" and "bu.edu", respectively:

Welcome shishir. Here is some information about you:
<PRE>
[bu.edu]
Trying 128.197.154.10...
Login name: shishir           In real life: Shishir Gundavaram
Directory: /usr3/shishir      Shell: /usr/local/bin/tcsh
Last login Thu Jun 23 08:18 on ttyq1 from nmrc.bu.edu:0.
New mail received Fri Dec 22 01:51:00 1995;
        unread since Thu Dec 21 17:38:02 1995
Plan:
Come on, aren't you done with the book yet?
</PRE>

You should enclose the output from an external command in a <PRE>..</PRE> block, so that whitespace is preserved. Also, if there is any HTML code within the data output by the external program, the browser will interpret it!

(To use the exec directive, remember that you need to enable Exec in the Options line of the access.conf file, as described in the "Configuration" seciton earlier in this chapter.)

Having the ability to execute external programs makes things easier, but it also poses a major security risk. Say you have a "guestbook" (a CGI application that allows visitors to leave messages for everyone to see) on a server that has SSI enabled. Most such guestbooks around the Net actually allow visitors to enter HTML code as part of their comments. Now, what happens if a malicious visitor decides to do some damage by entering the following:

<--#exec cmd="/bin/rm -fr /"-->

If the guestbook CGI program was designed carefully, to strip SSI commands from the input, then there is no problem. But, if it was not, there exists the potential for a major headache!


Previous Home Next
File Statistics Book Index Executing CGI Programs

 
 
  Published under free license. Design by Interspire