Outline CGI CS3157: Advanced CGI security CGI Graphics - PDF document

Outline • CGI CS3157: Advanced • CGI security • CGI Graphics Programming • Alternative Technologies Lecture #5 • Threading Sept 26 Shlomo Hershkop shlomo@cs.columbia.edu CGI Requirements • Minimum the web server needs to provide • Webserver setup correctly to allow an external process to create – Will not talk about it in class. WebPages. • Configure the cgi script – Will cover this lab. • Basic http/html knowledge • Goal: responding to queries and presenting dynamic content via HTTP. 1

http headers GET /index.html HTTP/1.1 HTTP/1.1 200 OK • GET Request / Status Line • HEAD Content-type text/html • POST Content-Length: 300 Header Fields • PUT • DELETE • CONNECT • OPTIONS • TRACE Server responses CGI Environment HTTP/1.1 200 OK • In perl avaiable through the %ENV global Date: Sun, 25 Sep 2005 20:30:12 GMT hash Server: Apache/1.3.5 (Unix) • Changing any of the values will only be Last-Modified: Wed, 20 May 1998 13:12:11 GMT seen by your own subprocess ETag: “2345-7227363ed” Content-Length: 141 – Why? Content-Type: text/html • Some of the variables will be blank – Why? <HTML> <HEAD><TITLE>……. 2

Side Note: Line Endings Serving web pages #!/usr/local/bin/perl • Carriage return \r use strict; • Line Feed \n $|=1; • CRLF my $time = localtime; my $remote_id = $ENV{REMOTE_HOST}| $ENV{REMOTE_ADDR}; • Unix – LF (\n) CR (\r) print "Content-type: text/html\n\n"; print <<END_OF_PRINTING; • print “Content-type: text/html\n\n” This is the time : $time <P> and your id is $remote_id END_OF_PRINTING • Why not \n\r\n\r ???? Serving more than webpages Serving mp3 files open(MP3FILE,”….”) || die …. print "Content-type: text/html\n\n"; my $buffer; print “Content-type: audio/mp3\n\n”; print “Content-type: image/jpeg\n\n”; binmode STDOUT; print “Content-type: image/png\n\n”; while( read(MP3FILE, $buffer, 16384)){ print “Content-type: audio/mp3\n\n”; print $buffer; } 3

Example Argument passing • http://..../cgi-bin/mp3server.cgi/Song.mp3 • Say you have a cool program which you can hook to the web….. – Give a cell phone – Give a message – Will send the cell phone a message <HTML><HEAD> Use CGI; <TITLE>Cool</TITLE> my $coolp = ‘/usr/local/bin/cellmsg’; </HEAD> <BODY> my $q = new CGI; my $cell = $q->param(“cellphone”); <form action=“cgi-bin/cool.cgi” method=“GET”> my $msg = $q->param(“message”); <p>Enter cell phone to use: <input type=“text” name=“cellphone”></p> #error checking here <p>Enter Message: open PIPE, “$coolp $cell $message |” or die “Can <input type=“text” name”message”></p> not open cellphone program”; <input type=“submit”> print $q->header( “text/plain”); </form> print while <PIPE> </BODY></HTML> close PIPE; 4

What can go wrong? • When executing command can in theory pass in the following arguments Something ; rm –rf *.* Perl Taint mode Tainted? • STDIN • -T • CGI – Taints all data references (incoming) • If variables/values are tainted • #!/usr/bin/perl –wT • Tainted follows it around with assignments Sub is_tainted { my $var = shift; my $blank = substr($var ,0,0); • Flags data to make sure perl doesn’t do return not eval { eval “1 || $blank” || 1}; } anything insecure 5

Why Getting out of taint • Why would you want to keep track of • Match related patterns ($1,$2 ..) tainted data? • Idea: would check for security problems and then allow it • Reminder: only in taint mode if set Command shell fork/exec • A better way of executing command shell my $pid = open PIPE, “-|”; arguments to a program is to divide the die “problem forking $!” unless defined $pid; work • Create an instance of the program you unless($pid) { want to run exec COOL, $message or die “cant open • Pass arguments directly to it, instead of pipe $!”; using the command shell (where can combine multiple commands 6

Graphics • Formats: • JPEG (Joint Photographic Expert Group) – GIF (Graphic Interchange Format) – 24-bit color • 256 colors – Lossy compression • LZW compression – No animation/transparency • Animation • Transparent bit • PDF (Portable Document Format) – PNG (Portable Network Graphic) – Postscript language for document layout • 256 color / 16-bit gray / 48-bit true color • NOT LZW • Alpha channels • Interlacing algorithms Image manipulation File Locking use Fcntl “:flock”; • Many packages in perl to work with image data open FILE, “?????.txt” or die $!; • GD – Lightweight package #one of these – Port of c graphics library flock FILE, LOCK_EX; – Manipulation routines for PNG flock FILE, LOCK_SH; ….. flock FILE, LOCK_UN; 7

Alternatives Alt II • Coldfusion • ASP – Webserver interprets std coldfusion call embedded in – Created by Microsoft for its servers html, and can add code to run custom functions – Windows, and linux – Mix code into html • Java servelts – Visual basic/javascript – Compiled java classes invoked by web client • PHP – Code creates documents • FastCGI – Apache webserver – Threaded instance of perl continuasly running to help – Similar to perl cgi perl run faster • Mod_perl – Embed code in html – Appache server perl thread to make perl cgi faster Wednesday Outputting text • Many times will have multiple fields per line • Meet in the clic lab 2-4pm or 4-6pm • Common delimiters: – Please choose a spot in either lab – Comma – Feel free to bring your own laptop if you want – Tabs to stay full time – Pipe | – Feel free to ask help for anything during lab. • Make sure what ever you choose is not in the • Make sure you have a cs account. data • Graded lab assignment part of class, will • How to represent these delimiters if they are be due Friday afternoon. present?? 8

Socket IO:Socket client • In order to communicate across computer Use IO::Socket::INET; networks (or between processes on the same computer) need to setup a $socket = IO::Socket::INET->new( communication address. PeerAddr => $remote_host, PeerAddr => $remote_port, • IO::Socket PeerAddr => “tcp”, PeerAddr => SOCK_STREAM) or die… Server version $server = IO::Socket::INET->new( LocalPort=> #writing out $server_port, print $socket “hello World”; Type => SOCK_STREAM, Reuse => 1, $answer = <socket>; Listen = 10) or die…. while($client = $server->accept()) { close($socket); #... } 9

Other topics • Multi threading – Fork processes – Process space • Communication – Pipes – Sockets 10