Beefy Boxes and Bandwidth Generously Provided by pair Networks Joe
Perl: the Markov chain saw
 
PerlMonks  

Re: Perl as a command executor (with hash variable substitution)

by kennethk (Monsignor)
on Mar 21, 2013 at 19:20 UTC ( #1024808=note: print w/ replies, xml ) Need Help??


in reply to Perl as a command executor (with hash variable substitution)

There are a host of potential problems, security and otherwise, you may have to deal with for this, but let's ignore all those and attack the specific issue you've asked about.

You need Perl to perform variable interpolation on a previously existing string. You can accomplish this using a string eval, after formatting your input like a string to be interpolated. This means escaping potentially problematic characters first like backslashes and previously existing quotes.

my %TEST_HASH = (TEST_KEY => 'TEST_VALUE'); my $cmd = '/bin/touch $TEST_HASH{"TEST_KEY"}'; $cmd =~ s/\\/\\\\/g; $cmd =~ s/"/\\"/g; $cmd = eval qq{"$cmd"} or die $@; print $cmd

Please don't run your intended code on any machine you care about security on, because this is pretty much the definition of injection and privilege escalation.


#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.


Comment on Re: Perl as a command executor (with hash variable substitution)
Download Code
Re^2: Perl as a command executor (with hash variable substitution)
by RecursionBane (Acolyte) on Mar 21, 2013 at 19:29 UTC
    Thank you! I understand the security risks. These commands will be executed by the logged in user with his/her privileges. I will keep security in memory when attempting to deploy this in scale.

      Please don't deploy this. It's so ... evil.

      Tell us what you want to achieve. I'm pretty sure there are solutions where you don't have to sell your soul.

      McA

      I will keep security in memory when attempting to deploy this in scale.

      Security will, indeed, be but a memory, and a faint one at that.

        Your response made me laugh during a meeting. Thank you for that. :-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1024808]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (5)
As of 2014-04-20 02:45 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    April first is:







    Results (485 votes), past polls