Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

system versus qx security

by mce (Curate)
on Oct 03, 2003 at 09:46 UTC ( #296183=perlquestion: print w/replies, xml ) Need Help??
mce has asked for the wisdom of the Perl Monks concerning the following question:

Hi All,

I might be totally wrong about this issue, but here if goes.
It is a security issue when using shell escapes (in CGI).
I have a program like

my $cmd="ls"; my $arg1=" file; ls"; my $arg2=" file"; system($cmd,$arg1,$arg2); warn qx/$cmd $arg1 $arg2/; warn `$cmd $arg1 $arg2`;
This generates this output
ls: file; ls: No such file or directory
ls: file: No such file or directory
file
file
file
file
When using the system command, if 'qoutes' the arguments, which is more safe in CGI. But how do I do this in qx or <backtick>? I can use quotemeta, but isn't there a better solution?

What I want to achieve, is to capture the output of a command, which system will not allow.

Any suggestions?
---------------------------
Dr. Mark Ceulemans
Senior Consultant
BMC, Belgium

Replies are listed 'Best First'.
Re: system versus qx security
by zby (Vicar) on Oct 03, 2003 at 10:40 UTC
    Actually what the system function is doing is not 'quoting' the parameters but directly supplying them to the OS exec call.
    Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, (...)
    While qx supplies the command to the shell for parsing for arguments. And this happens in the 'only one scalar argument' case above too (which I cut out for brevity).

    You might try to look at IPC::Open2 or IPC::Open3 functions. They can be called in simmilar fashions as system.

      If such a call exists. Under some OSes it does quote parameters (and then crosses fingers). It's true though that the shell is not involved in system($cmd,@params).

      Jenda
      Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
         -- Rick Osborne

      Edit by castaway: Closed small tag in signature

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://296183]
Approved by zby
help
Chatterbox?
[Corion]: I've also found some interesting invariants that I have to think/write about more. A simple rate limiter will never change the order of the input, while a limiter that allows for parallel execution will change the order. But my API currently allows for bo
[Corion]: ... for both, and I'm not sure if I want to add the cruft from the parallel API (a token that you need to hold on to while you hold the lock) to the rate limiting API too, to allow seamless up/downgrades, or not.
[Corion]: Also, rate limiting will look great with await: my $token = await $limiter-> limit($hostname); instead of my $f = $limiter->limit( $hostname )->then(sub { my( $token)=@_; ... });

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (7)
As of 2017-10-23 08:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    My fridge is mostly full of:

















    Results (277 votes). Check out past polls.

    Notices?