The Common Gateway Interface (CGI) Pat Morin COMP2405.

Slides:

Advertisements

Similar presentations

CGI & HTML forms CGI Common Gateway Interface  A web server is only a pipe between user-agents  and content – it does not generate content.

Advertisements

Adding Dynamic Content to your Web Site

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Common Gateway Interface (CGI). CGI is a protocol: CGI is not a programming language CGI is a protocol for the exchange of information between between.

Copyright 2004 Monash University IMS5401 Web-based Systems Development Topic 2: Elements of the Web (g) Interactivity.

Browsers and Servers CGI Processing Model ( Common Gateway Interface ) © Norman White, 2013.

Python and Web Programming

Definitions, Definitions, Definitions Lead to Understanding.

Guide To UNIX Using Linux Third Edition

Lecture 13 Dynamic Web Servers & Common Gateway Interface CPE 401 / 601 Computer Network Systems slides are modified from Dave Hollinger.

CGI Programming: Part 1. What is CGI? CGI = Common Gateway Interface Provides a standardized way for web browsers to: –Call programs on a server. –Pass.

Web Client/Server Communication A290/A590, Fall /09/2014.

Chapter 6: Hostile Code Guide to Computer Network Security.

CGI Programming Languages Web Based Software Development July 21, 2005 Song, JaeHa.

Common Gateway Interface

1 ‘Dynamic’ Web Pages So far, we have developed ‘static’ web-pages, e.g., cv.html, repair.html and order.html. There is often a requirement to produce.

CGI Common Gateway Interface. CGI is the scheme to interface other programs to the Web Server.

INTRODUCTION TO WEB DATABASE PROGRAMMING

Chapter 9 Using Perl for CGI Programming. Computation is required to support sophisticated web applications Computation can be done by the server or the.

FALL 2005CSI 4118 – UNIVERSITY OF OTTAWA1 Part 4 Web technologies: HTTP, CGI, PHP,Java applets)

HTTP; The World Wide Web Protocol

1 HTML and CGI Scripting CSC8304 – Computing Environments for Bioinformatics - Lecture 10.

Comp2513 Forms and CGI Server Applications Daniel L. Silver, Ph.D.

Chapter 33 CGI Technology for Dynamic Web Documents There are two alternative forms of retrieving web documents. Instead of retrieving static HTML documents,

9 Chapter Nine Compiled Web Server Programs. 9 Chapter Objectives Learn about Common Gateway Interface (CGI) Create CGI programs that generate dynamic.

USING PERL FOR CGI PROGRAMMING

CS4273: Distributed System Technologies and Programming I Lecture 7: Java Networking.

Java CGI Lecture notes by Theodoros Anagnostopoulos.

20-753: Fundamentals of Web Programming Copyright © 1999, Carnegie Mellon. All Rights Reserved. 1 Lecture 7: HTTP and CGI Fundamentals of Web Programming.

A/WWW Enterprises15 July 1996 Implementing Queries with HTTP A. Warnock A/WWW Enterprises

10/13/2015 ©2006 Scott Miller, University of Victoria 1 Content Serving Static vs. Dynamic Content Web Servers Server Flow Control Rev. 2.0.

Copyright © 2008 Pearson Education, Inc. Publishing as Pearson Addison-Wesley Chapter 9 Using Perl for CGI Programming.

Website Development with PHP and MySQL Saving Data.

CGI Programming. What is it? CGI –Common Gateway Interface Standard way to pass information back to the Web Server –GET Query String –POST Standard Input.

Chapter 6 Server-side Programming: Java Servlets

1 © Netskills Quality Internet Training, University of Newcastle HTML Forms © Netskills, Quality Internet Training, University of Newcastle Netskills is.

CGI Common Gateway Interface. CGI is the scheme to interface other programs to the Web Server.

CSU - DEO Introduction to CGI - Fort Collins, CO Copyright © XTR Systems, LLC Introduction to the Common Gateway Interface (CGI) Instructor: Joseph DiVerdi,

Form Data Encoding GET – URL encoded POST – URL encoded

Netprog 2002 CGI Programming1 CGI Programming CLIENT HTTP SERVER CGI Program http request http response setenv(), dup(), fork(), exec(),...

CSE 341, S. Tanimoto Lisp CGI - 1 Lisp CGI Programming for the Web Web servers can invoke Lisp to “intelligently” create web pages on the fly. We will.

1 WWW. 2 World Wide Web Major application protocol used on the Internet Simple interface Two concepts –Point –Click.

ECMM6018 Enterprise Networking for Electronic Commerce Tutorial 7

JS (Java Servlets). Internet evolution [1] The internet Internet started of as a static content dispersal and delivery mechanism, where files residing.

 Previous lessons have focused on client-side scripts  Programs embedded in the page’s HTML code  Can also execute scripts on the server  Server-side.

27.1 Chapter 27 WWW and HTTP Copyright © The McGraw-Hill Companies, Inc. Permission required for reproduction or display.

CS 330 Class 8 Homework A pattern that contains a word with an optional period A pattern that contains Fred with a space (not Freddy) See regexp.txt guest4.htm.

Introduction to CGI PROG. CGI stands for Common Gateway Interface. CGI is a standard programming interface to Web servers that gives us a way to make.

Session 11: Cookies, Sessions ans Security iNET Academy Open Source Web Development.

Lesson 11. CGI CGI is the interface between a Web page or browser and a Web server that is running a certain program/script. The CGI (Common Gateway Interface)

University of Kansas Department of Electrical Engineering and Computer Science Dr. Susan Gauch April 21, 2005 I T T C Introduction to Web Technologies.

Introduction to AJAX Pat Morin COMP Outline What is AJAX? – History – Uses – Pros and Cons An XML HTTP Transaction – Creating an XMLHTTPRequest.

1 Chapter 1 INTRODUCTION TO WEB. 2 Objectives In this chapter, you will: Become familiar with the architecture of the World Wide Web Learn about communication.

Distributed Control and Measurement via the Internet

Tonga Institute of Higher Education IT 141: Information Systems

CS 330 Class 7 Comments on Exam Programming plan for today:

Section 6.3 Server-side Scripting

WWW and HTTP King Fahd University of Petroleum & Minerals

The Hypertext Transfer Protocol

Introduction to CGI and ajax

MapServer In its most basic form, MapServer is a CGI program that sits inactive on your Web server. When a request is sent to MapServer, it uses.

CGI Programming Part II UNIX Security

Introduction to CGI and ajax

Chapter 27 WWW and HTTP.

Tonga Institute of Higher Education IT 141: Information Systems

Introduction to Servlets

Tonga Institute of Higher Education IT 141: Information Systems

World Wide Web Components

SHELLSHOCK ATTACK.

Presentation transcript:

The Common Gateway Interface (CGI) Pat Morin COMP2405

2 Outline What is CGI? Details of the Server/Program Interface – Environment variables – Form data – GET versus POST Security Issues – Common vulnerabilities

3 What is CGI? Recall the usual HTTP Transaction 1. Client opens connection to server 2. Client sends request to server 3. Server responds to request 4. Client and server close connection ● CGI is all about what happens between steps 2 and 3 ● CGI is a standard interface by which the web server passes the client's request to a program and receives the response from that program

4 The CGI Process clientserver open reply close request CGI program request reply

5 The CGI Process Client open connection to server Client sends request to server Server processes request – Server launches CGI program – CGI program runs – CGI program outputs response Server sends response to client Client and server close connection

6 Sending the Request to the Program The web server sends information to the program using environment variables This information includes – HTTP headers – Server information – Client information – Information about the request

7 Receiving Form Data A CGI program can receive form data in two different ways If the form is submitted by the GET method then the query is encoded in the QUERY_STRING environment variable If the form is submitted by the POST method then – The data arrives on stdin (standard input) – The CONTENT_LENGTH environment indicates how much data will arrive (the server does not transmit EOF!)

8 Sending the Reply The CGI program should write it's output to stdout The output consists of – A header, containing, as a minimum the Content-type but possibly also other header fields, if supported – A blank line – The content (e.g., text, html, etc.) Normally, we use Content-type: text/html

9 Security Concerns The client is sending a request that causes the server to execute a program The program uses data provided by the client Client data can not be trusted!

10 Security Tips Do not trust the client to follow rules – setting maxlength in a text field does not guarantee that you will never receive a longer string Never leave any opportunity to execute data provided by the client (using eval, or forgetting quotes) Be careful with file names or names passed on a command line – if a client sends "../../../etc/passwd" as a user name will this give them access to /etc/passwd ?

11 Security Tips (Cont'd) Don't store data where it can be accessed by HTTP clients Either: – Put data in a separate directory that is not under your public_html directory, OR – Adjust file permissions Always escape user-supplied data before outputting it as HTML Turn off server-side includes – if a client sends " " as a username, will this give them access to /etc/passwd

12 Some Technical Issues CGI programs can be written in any programming language (C, C++, Java, Perl, bash,...) The web server is configured to treat executable files in certain special directories as CGI programs – For us, this is ~username/cgi-bin/ The user ID that the CGI program is run under depends on the server configuration – For us, it is the UID of username The CGI program is restricted to performing operations permitted to that user

13 Summary CGI is a simple means by which the server and CGI program exchange data CGI (or something like it) is required for creating web pages with dynamic content Form data is handled differently depending on whether the form method is GET or POST CGI introduces many subtle potential security problems