12. Common Gateway Interface
12.4. Examples
12.4.1. Hello World
12.4.1.1. Description / Motivation
This CGI application is designed to say "hello" to its viewer. It takes
no input, and the only output it provides is the HTML to display a
simple message.
This example demonstrates sever important aspects of CGI applications:
-
Producing header information
The MIME type of the output produced by the CGI application is one of the most
important items a CGI-app must provide. "Hello World" demonstrates this, as
well as how to separate the header information from the body with a
blank line of text.
-
Producing basic HTML body output
The output that "Hello World" produces is always the same, and is nothing
more than a simple web page. A user can see how the output from "Hello
World" is returned to a WWW client and how it is interpreted in the same
way that a static web page is interpreted.
12.4.1.2. Source Code
Click here to view the source code
12.4.1.3. Test the Example
Click here
to run helloworld.cgi
12.4.2. Date and Time
12.4.2.1. Description / Motivation
This CGI application displays the date and time (relative to the web
server on which the CGI application executes).
The capabilities demonstrated by this CGI application are:
-
Displaying dynamic data
Every time this CGI application is executed, it will produce different
output. This CGI-app exemplifies the dynamic nature of all CGI applications
in a very simplistic manner.
-
Interfacing with other functions
The heart of creating a WWW interface to other applications lies in the
functions used to address them. CGI-apps are a way of placing a
user-friendly front-end on other applications, and the success of this
approach depends on the interface between the two parts.
12.4.2.2. Source Code
Click here to view the source code
12.4.2.3. Test the Example
Click here
to run date.cgi
12.4.3. Finger gateway
12.4.3.1. Description / Motivation
This CGI application is a gateway to the "finger" utility. The finger
system, when queried about a certain user, returns information about
that user (such as their real name, or their office telephone number).
So, this finger gateway provides a WWW interface to this system.
This example demonstrates:
-
Passing input through the command line
The user forms a query to the finger gateway, providing the name (and
possibly the home system) of the person about which information is
desired. So, to query the finger gateway about the author, one would
access the following URL:
http://csgrad.cs.vt.edu/vanmetre-cgi/finger.cgi?vanmetre
At the end of the URL, "finger.cgi?vanmetre
" means to send
the name "vanmetre" to the finger gateway. If one wished to find out
information about the account on example.system.com belonging to
Joe_Blow, one could access the following URL:
http://csgrad.cs.vt.edu/vanmetre-cgi/finger.cgi?Joe_Blow@example.system.com
(The "at" sign @ should really be encoded as %40)
-
Checking parameters for security
As shown before in Section 12.3.1, a
finger gateway can leave open a large security hole. This example
demonstrates two ways to close this hole.
The example in Section 12.3.1 shows
that if a user accesses the URL
http://www.nowhere.com/cgi-bin/finger.cgi?vanmetre;rm+-rf+%2F
it will cause the server to issue the system command
finger vanmetre;rm -rf /
This is a problem if the finger gateway doesn't recognize the semicolon
and issues the command through a system call or through a shell. In C,
when a system call is executed, the calling program starts another
process -- a shell -- and lets that shell execute a command. It is the
shell that allows the semicolon in the above command to split the
command into two separate instructions that are executed sequentially.
There are two main ways to bypass this problem.
-
Remove the semicolon and all subsequent text
This will ensure that there is only one parameter to be passed to the
finger program, and that only one command (the finger command) can be
executed. It is also wise to do remove any ampersands and any
subsequent text. This finger gateway example starts at the beginning of
the query passed to it and searches through each character until it
reaches the end or it finds a semicolon or an ampersand. If it finds
either, it replaces the offending character with a null character (ASCII
0) which terminates the string. This effectively removes any
potentially offensive command that may have followed the semicolon or
ampersand.
-
Don't execute any commands through a shell
Since it is the shell that interprets a semicolon as a character which
separates two commands, it follows that bypassing the shell would be a
satisfactory way of eliminating the problem. To do this, one can use
the execvp
function call. This ends the calling program
and starts the program provided in the execvp
call (the new
program keeps the same process ID as the calling program). The finger
gateway described in this example does just this -- after retrieving the
user's query and producing the header output, the gateway launches the
finger utility through an execvp
call.
A system call creates a new process, uses execvp
to turn
that new process into a shell, and tells the shell to execute a
particular command; the calling process waits for the shell to finish
before continuing execution. The finger gateway example given here does
two things differently: it doesn't launch a new process, and it doesn't
start a shell. This not only saves processing overhead, but it also
reduces the potential for security problems by bypassing the shell.
12.4.3.2. Source Code
Click here to view the source code
12.4.3.3. Test the Example
Click
here to obtain the author's finger information
12.4.4. Access Counter
12.4.4.1. Description / Motivation
This example presents a rough yet functional access counter. The CGI
application in this example doesn't return any HTML code or images --
instead, it returns pointers to GIF images. A WWW document that wishes
to contain this counter includes in its source n
images,
each of which has its source specified by this CGI. Each of these
n
images is a digit in the count of accesses to the parent
document. The SRC
attribute of the IMG
tag
which displays these images is a call to counter.cgi
; in
this call, a query is made which specifies the digit to be displayed.
This query is in the form of digit=
i, where i
is the 10i place.
For example:
<IMG
SRC="http://csgrad.cs.vt.edu/vanmetre-cgi/counter.cgi?digit=1">
will display the digit in the tens place.
Whenever a page asks counter.cgi
for a digit, the URL of
the referring page is passed to counter.cgi
in the
HTTP_REFERER
environment variable. Each time the ones
digit for a URL is accessed, counter.cgi
increments the
access count for the referring URL and stores this value in a database
on the host server. This is an example of a desirable side effect --
a global variable (the database file) is being modified, and these
modifications will affect all others who access this global object at a
later time.
This example demonstrates the following features of CGI applications:
-
Passing input through a query
The digit to be displayed is passed into the CGI application through a
query. The query is passed from the reuqesting client to the server
using the GET method (Predefined
Methods), and the query is given to the CGI through the
QUERY_STRING
environment variable.
-
Intended side effects
Updating the database when a page is requested is an intended side
effect.
-
Document referral
As stated before, this CGI application doesn't return any data; it
returns in the header output the location of the data to be displayed.
This location points to a GIF image which is a static document stored on
a WWW server.
12.4.4.2. Source Code
Click here to view the HTML source code
Click here to view the CGI source code
12.4.4.3. Test the Example
Click here to view
count-me.html
![[PREV]](../images/Nav/Prev.gif)
![[NEXT]](../images/Nav/Next.gif)
![[UP]](../images/Nav/Up.gif)
![[HOME]](../images/Nav/Home.gif)
Copyright © 1996
J. Patrick Van Metre, All Rights Reserved
J. Patrick Van Metre
<vanmetre@csgrad.cs.vt.edu>
Last modified: Sat Oct 26 13:26:04 1996