Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re^3: Is it possible to execute some command in qx argument

by shmem (Chancellor)
on May 05, 2017 at 08:06 UTC ( [id://1189556]=note: print w/replies, xml ) Need Help??


in reply to Re^2: Is it possible to execute some command in qx argument
in thread Is it possible to execute some command in qx argument

In the OP you write:

I have the script on one of my systems that I can't modify at all

Well, this reeks of privilege escalation. Why can't you modify a script? I can think of a number of reasons/scenarios, and a short description of why this can't be done would be appropriate, so any suspicion of inappropriate privilege escalation would have been dispersed at the beginning.

So this is an XY problem. The script should be fixed in the first place, at its origin. A script which allows execution of arbitrary commands by this simple mechanism is a high security risk which should be fixed immediately. You should escalate this issue, not your privileges.

Unfortunately there are a number of vm templates with incorrect script which is a huge pain to manually log in and fix.

There are ways to automate this process. It would have been better to ask for ways of how to do that. If this script is part of a deployment environment shipped by some VM vendor, please escalate to that vendor prior to disclosure. There's no need to delete this thread (yet ;-)

perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

Replies are listed 'Best First'.
Re^4: Is it possible to execute some command in qx argument
by vladimirfedorov (Novice) on May 06, 2017 at 00:53 UTC
    Sure I understand the concern. I agree fully that the script should be fixed and it is planned for the next release of the VM template. This VM template is produced internally by our development org and we are managing an internal cloud where we they want to spin up sessions off of this template. The problem is that this script will be only fixed in later versions of the template.

    Anyway it appeared it was not that simple after all. The suggested approaches did work in command line, but when testing end to end I found out that all quotes and apostrophes were replaced with &aquot; and & apos;. The arguments are being passed in the vm through an xml, so I guess that's why they were converted. So unless there is a way to do the same without apostrophes or quotes, our script is safe :).

      So unless there is a way to do the same without apostrophes or quotes, our script is safe :).

      Um, so it doesn't know how to read XML in addition to not knowing how to shell quote/escape?

      yuck

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: note [id://1189556]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others chanting in the Monastery: (5)
As of 2024-03-29 13:42 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found