Presentation is loading. Please wait.

Presentation is loading. Please wait.

The Common Gateway Interface (CGI) Pat Morin COMP2405.

Published byJocelin Townsend Modified over 7 years ago

Similar presentations

Presentation on theme: "The Common Gateway Interface (CGI) Pat Morin COMP2405."— Presentation transcript:

1 The Common Gateway Interface (CGI) Pat Morin COMP2405

2 2 Outline What is CGI? Details of the Server/Program Interface – Environment variables – Form data – GET versus POST Security Issues – Common vulnerabilities

3 3 What is CGI? Recall the usual HTTP Transaction 1. Client opens connection to server 2. Client sends request to server 3. Server responds to request 4. Client and server close connection ● CGI is all about what happens between steps 2 and 3 ● CGI is a standard interface by which the web server passes the client's request to a program and receives the response from that program

4 4 The CGI Process clientserver open reply close request CGI program request reply

5 5 The CGI Process Client open connection to server Client sends request to server Server processes request – Server launches CGI program – CGI program runs – CGI program outputs response Server sends response to client Client and server close connection

6 6 Sending the Request to the Program The web server sends information to the program using environment variables This information includes – HTTP headers – Server information – Client information – Information about the request

7 7 Receiving Form Data A CGI program can receive form data in two different ways If the form is submitted by the GET method then the query is encoded in the QUERY_STRING environment variable If the form is submitted by the POST method then – The data arrives on stdin (standard input) – The CONTENT_LENGTH environment indicates how much data will arrive (the server does not transmit EOF!)

8 8 Sending the Reply The CGI program should write it's output to stdout The output consists of – A header, containing, as a minimum the Content-type but possibly also other header fields, if supported – A blank line – The content (e.g., text, html, etc.) Normally, we use Content-type: text/html

9 9 Security Concerns The client is sending a request that causes the server to execute a program The program uses data provided by the client Client data can not be trusted!

10 10 Security Tips Do not trust the client to follow rules – setting maxlength in a text field does not guarantee that you will never receive a longer string Never leave any opportunity to execute data provided by the client (using eval, or forgetting quotes) Be careful with file names or names passed on a command line – if a client sends "../../../etc/passwd" as a user name will this give them access to /etc/passwd ?

11 11 Security Tips (Cont'd) Don't store data where it can be accessed by HTTP clients Either: – Put data in a separate directory that is not under your public_html directory, OR – Adjust file permissions Always escape user-supplied data before outputting it as HTML Turn off server-side includes – if a client sends " " as a username, will this give them access to /etc/passwd

12 12 Some Technical Issues CGI programs can be written in any programming language (C, C++, Java, Perl, bash,...) The web server is configured to treat executable files in certain special directories as CGI programs – For us, this is ~username/cgi-bin/ The user ID that the CGI program is run under depends on the server configuration – For us, it is the UID of username The CGI program is restricted to performing operations permitted to that user

13 13 Summary CGI is a simple means by which the server and CGI program exchange data CGI (or something like it) is required for creating web pages with dynamic content Form data is handled differently depending on whether the form method is GET or POST CGI introduces many subtle potential security problems

Download ppt "The Common Gateway Interface (CGI) Pat Morin COMP2405."

Similar presentations

CGI & HTML forms -05-. CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.

CGI & HTML forms CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.
Adding Dynamic Content to your Web Site

Adding Dynamic Content to your Web Site
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
Common Gateway Interface (CGI). CGI is a protocol: CGI is not a programming language CGI is a protocol for the exchange of information between between.

Common Gateway Interface (CGI). CGI is a protocol: CGI is not a programming language CGI is a protocol for the exchange of information between between.
Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.
Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.
Python and Web Programming

Python and Web Programming
Definitions, Definitions, Definitions Lead to Understanding.

Definitions, Definitions, Definitions Lead to Understanding.
Guide To UNIX Using Linux Third Edition

Guide To UNIX Using Linux Third Edition
Lecture 13 Dynamic Web Servers & Common Gateway Interface CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.

Lecture 13 Dynamic Web Servers & Common Gateway Interface CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.
CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.
Web Client/Server Communication A290/A590, Fall 2014 09/09/2014.

Web Client/Server Communication A290/A590, Fall /09/2014.
Chapter 6: Hostile Code Guide to Computer Network Security.

Chapter 6: Hostile Code Guide to Computer Network Security.
CGI Programming Languages Web Based Software Development July 21, 2005 Song, JaeHa.

CGI Programming Languages Web Based Software Development July 21, 2005 Song, JaeHa.
Common Gateway Interface

Common Gateway Interface
1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.

1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.
CGI Common Gateway Interface. CGI is the scheme to interface other programs to the Web Server.

CGI Common Gateway Interface. CGI is the scheme to interface other programs to the Web Server.
INTRODUCTION TO WEB DATABASE PROGRAMMING

INTRODUCTION TO WEB DATABASE PROGRAMMING
Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.

Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.
FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

Similar presentations

Ads by Google