I need a button on a web-page that will do the following:
The filenames to be concatenated will be POSTed as parameters, and this is the only thing the button will ever do.

I'm wary of using CGI with a shell script. Is there any way to make this secure?

Thanks,

GR

Use perl insted of ksh/bash, as perl support more feature to check input (passed via args) since the filenames to be concatenated will be POSTed as parameters.

But it is tricky

imagine a file name is inputed as ";rm -rf / "
or the ; as a hex or octal or unicode or unicode double encoded

wouldn't perhaps be easier to have the files indexed and shown?

So that you only process an number.

the attacker won't destroy your system as you probably got apache as nobody, but still your files are gone and what ever nobody can delete will be deleted.

Krugger: yes, the files are indexed by date, and I'm checking to make sure that the input is a valid date. Is there anything else I should think about?

nixcraft: if you can figure out a way to call gs from perl, with parameters, and without using "system" calls, let me know.

Thanks.

If you use number or such remember that the attacker can craft the GET or POST.

if you changed to php or something else beware of code injection, in shell script it is the same.

now that you are thinking about the ';', think about these:

$(ls -la)
' $(ls -la) '

This will be interpreted by the ksh and to do the substitution it will have to execute the command. Of course this might not work as I don't know how you are doing the verifications on the date.

Also beware of its size, although I don't think gs is vunerable to bufferoverflow.

Perl must have a pdf api. It has one for almost everything.