Glynn Clements wrote:
> The attached lex program will parse a URL-encoded string (from stdin)
> and emit a sequence of shell commands which define environment
> variables.
You aren't seriously saying that you feed CGI input to a shell are you?
This LEX program both contains a parsing bug on correct input (the
escape syntax is %## not %##%) and is way to easy to fool into embedding
custom shell commands in the output (the simplest case is ;ls<newline>)
A more interesting question (and what I beleive the question was) is how
to parse CGI input in a C program. A lex progam that emits a unfiltered
shell variable definitions one character at a time does not help a C
programmer much..
And my answer to this question is: Use one of the available and tested
libraries for doing this. Unfortunately I do not have a pointer
available (kind of offline at the moment) but it should not be to hard
to locate.
Anyone daring to write his own CGI parsing should know that unless it is
a protected CGI then you have to take great care in handling all kinds
of strange input that may or may not be legal according to the encoding
specifications. For a C programmer the biggest pit is buffer overflow,
for a shell/perl programmer it is input encoded to execute other
commands.
---
Henrik Nordström
