system versus qx security

mce has asked for the wisdom of the Perl Monks concerning the following question:

Hi All,

I might be totally wrong about this issue, but here if goes.
It is a security issue when using shell escapes (in CGI).
I have a program like

my $cmd="ls";
my $arg1=" file; ls";
my $arg2=" file";
 
system($cmd,$arg1,$arg2);
warn qx/$cmd $arg1 $arg2/;
warn `$cmd $arg1 $arg2`;
[download]

This generates this output
ls: file; ls: No such file or directory
ls: file: No such file or directory
file
file
file
file
When using the system command, if 'qoutes' the arguments, which is more safe in CGI. But how do I do this in qx or <backtick>? I can use quotemeta, but isn't there a better solution?

What I want to achieve, is to capture the output of a command, which system will not allow.

Any suggestions?
---------------------------
Dr. Mark Ceulemans
Senior Consultant
BMC, Belgium

Replies are listed 'Best First'.
Re: system versus qx security by zby (Vicar) on Oct 03, 2003 at 10:40 UTC
Actually what the system function is doing is not 'quoting' the parameters but directly supplying them to the OS exec call. Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, (...) While qx supplies the command to the shell for parsing for arguments. And this happens in the 'only one scalar argument' case above too (which I cut out for brevity). You might try to look at IPC::Open2 or IPC::Open3 functions. They can be called in simmilar fashions as system.	[reply]
Re: Re: system versus qx security by Jenda (Abbot) on Oct 03, 2003 at 14:58 UTC
If such a call exists. Under some OSes it does quote parameters (and then crosses fingers). It's true though that the shell is not involved in `system($cmd,@params)`. Jenda Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live. -- Rick Osborne Edit by castaway: Closed small tag in signature	[reply] [d/l]

Replies are listed 'Best First'.

Re: system versus qx security
by zby (Vicar) on Oct 03, 2003 at 10:40 UTC

system

Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, (...)

You might try to look at IPC::Open2 or IPC::Open3 functions. They can be called in simmilar fashions as system.

[reply]

Re: Re: system versus qx security

by Jenda (Abbot) on Oct 03, 2003 at 14:58 UTC

If such a call exists. Under some OSes it does quote parameters (and then crosses fingers). It's true though that the shell is not involved in system($cmd,@params).

Jenda
Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
-- Rick Osborne

Edit by castaway: Closed small tag in signature

[reply]
[d/l]