For small CGI scripts it is often reasonable to implement them using simple shell commands.
Example:
#!/bin/sh echo "Content-Type: text/plain\n" echo "Currently logged on users on: "`hostname` who
This small example script lists the current logged on users. That was easy. To implement parameterized scripts the QUERY_STRING (HTTP GET Method) or STDIN (HTTP POST Method) can be used to pass parameters from Urls or forms to the CGI script.
Unfortunately the passed data is Url encoded. That means every special character is encoded not to clash with the webserver mnemonics. Special characters are encoded using the `%’ character followed by the hexadecimal value of the 8bit character. The space character 32 (or 0x20) can also be encoded using a simple `+’ character.
This technique aggravates decoding using shell scripts. But it’s possible without using the bloated Perl interpreter:
#!/bin/sh
echo "Content-Type: text/plain\n"
echo "The Http POST data you sent is decoded now:"
cat - |\
sed 's/+/ /g'| sed 's/\%0[dD]//g' |\
awk '/%/{while(match($0,/\%[0-9a-fA-F][0-9a-fA-F]/))\
{$0=substr($0,1,RSTART-1)sprintf("%c",0+("0x"substr(\
$0,RSTART+1,2)))substr($0,RSTART+3);}}{print}'
Does not look nice, but works. ;-)
Security Advisory: Using parameterized shell scripts for CGI may be a security issue to the server, as sloppy coded scripts can easily be exploited by using simple shell extensions.