Welcome to the Monastery | |
PerlMonks |
Re^3: Use CGI to run a Perl script via web server (updated)by haukex (Archbishop) |
on May 25, 2017 at 14:15 UTC ( [id://1191217]=note: print w/replies, xml ) | Need Help?? |
There is no security risk as this Link will only be used from within a different application. Sorry, but those are famous last words. Getting security right is really hard. At the very least, you need to use the LIST form of system, i.e. system("cqperl","NewLdapUser.pl",$sso,$firstName,$lastName,$email);, and even better, since you're already using IPC::System::Simple, be explicit by using its systemx instead of system function. <update2> Plus, what hippo said, plus some kind of authentication for this script, and so on. </update2> ... creates a user account in another application (using system call). Reason is mentioned in the script comments. I admit I don't know cqperl (ClearQuest Perl?), but I'm not entirely convinced that whatever the Perl script NewLdapUser.pl is doing could not be done by your CGI script, especially given that your script is already making use of Net::LDAP. $sso == "" This is not doing what you want, as Perl would tell you, that's why you should always Use strict and warnings. Use eq instead and see the Basic debugging checklist. All I am looking for is to find out a way to parse the value from $sso = shift to just $sso using CGI. I'm not sure I understand the question, are you having trouble with getting the CGI parameters? I don't really see anything immediately wrong with my $sso = $query->param("sso");, have you tried narrowing down your script to only that part and attempting to debug it (using the links previously provided)? Update: Your code also seems to be potentially vulnerable to a Cross-site scripting (XSS) attack, see also this. Even if not, you should still use CGI's escapeHTML() function.
In Section
Seekers of Perl Wisdom
|
|