Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

Getting information about a remote file via SSH: how to escape the filename

by jonadab (Parson)
on Jun 27, 2013 at 11:48 UTC ( #1040994=perlquestion: print w/ replies, xml ) Need Help??
jonadab has asked for the wisdom of the Perl Monks concerning the following question:

Ok, it's been a while since I've been this stumped on a Perl question and resorted to asking for help.

Ultimately, what I'm trying to accomplish here is to get information on any given remote file. I have access to the remote system via ssh and know the file's full path: call that $remotefile

The approach I was thinking of using is like so:

use Net::SSH::Perl; my $ssh = Net::SSH::Perl->new($remotehost); $ssh->login($remoteuser, $remotepassword); my($stdout, $stderr, $exit) = $ssh->cmd(qq[ls -l $remotefile]); # Then parse the info I want from $stdout with an easy regex

But I can't rule out the possibility that the remote filename might contain shell metacharacters.

My immediate thought was, "No problem, I'm sure the CPAN has six different modules for escaping shell metacharacters," but all I seem to be able to find is modules that appear to be intended for escaping strings in program source code (notably, String::Escape) or undoing said escaping (Encode::Escape for instance). To the best of my knowledge, those probably won't do entirely the right thing (e.g., with spaces). Am I correct in assuming that I need something different?

The characteristics of the remote system are known, and are essentially the same as the local system, although they get updates at different times. (Both systems are Debian.)

Thoughts? Other approaches?

-- 
We're working on a multi-year set of freely redistributable Vacation Bible School materials.

Comment on Getting information about a remote file via SSH: how to escape the filename
Download Code
Re: Getting information about a remote file via SSH: how to escape the filename
by salva (Abbot) on Jun 27, 2013 at 12:24 UTC
    Net::OpenSSH can do it for you:
    use Net::OpenSSH; my $ssh = Net::OpenSSH->new($remotehost, user => $remoteuser, password + => $remotepassword); $ssh->die_on_error("unable to connect to remote host"); my ($out, $err) = $ssh->capture2(ls => '-l', $remotefile);

    Another option is to use SFTP:

    use Net::SFTP::Foreign; use Data::Dumper; my $sftp = Net::SFTP::Foreign->new($remotehost, user => $remoteuser, password => $r +emotepassword, autodie => 1); my $attr = $sftp->stat($remotefile); print Dumper $attr;

      Thanks. I will definitely look into Net::OpenSSH; that seems like a good way to go for this project.

Re: Getting information about a remote file via SSH: how to escape the filename
by Happy-the-monk (Monsignor) on Jun 27, 2013 at 13:17 UTC

    $ssh->cmd(qq[ls -l $remotefile]); # Then parse the info I want from $stdout with an easy regex

    But I can't rule out the possibility that the remote filename might contain shell metacharacters.

    This should do it: $ssh->cmd(qq[ls -l "$remotefile"]);

    Cheers, Sören

    (hooked on the Perl Programming language)

      $remotefile=qq[foo"; rm -Rf /; echo "bar]

        In my particular situation, actively malicious filenames are very unlikely to occur (and if they do, it implies that I have much bigger problems than this program can possibly address or even meaningfully exacerbate).

        However, I still don't want the thing to fail to work correctly if a filename happens for some reason to contain quotation marks.

        $remotefile=qq[foo"; rm -Rf /; echo "bar]

        You'd better untaint your variables, Monk!

        Cheers, Sören

        (hooked on the Perl Programming language)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://1040994]
Approved by salva
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others avoiding work at the Monastery: (6)
As of 2014-12-21 00:08 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (99 votes), past polls