Beefy Boxes and Bandwidth Generously Provided by pair Networks
There's more than one way to do things
 
PerlMonks  

system versus qx security

by mce (Curate)
on Oct 03, 2003 at 09:46 UTC ( #296183=perlquestion: print w/ replies, xml ) Need Help??
mce has asked for the wisdom of the Perl Monks concerning the following question:

Hi All,

I might be totally wrong about this issue, but here if goes.
It is a security issue when using shell escapes (in CGI).
I have a program like

my $cmd="ls"; my $arg1=" file; ls"; my $arg2=" file"; system($cmd,$arg1,$arg2); warn qx/$cmd $arg1 $arg2/; warn `$cmd $arg1 $arg2`;
This generates this output
ls: file; ls: No such file or directory
ls: file: No such file or directory
file
file
file
file
When using the system command, if 'qoutes' the arguments, which is more safe in CGI. But how do I do this in qx or <backtick>? I can use quotemeta, but isn't there a better solution?

What I want to achieve, is to capture the output of a command, which system will not allow.

Any suggestions?
---------------------------
Dr. Mark Ceulemans
Senior Consultant
BMC, Belgium

Comment on system versus qx security
Download Code
Re: system versus qx security
by zby (Vicar) on Oct 03, 2003 at 10:40 UTC
    Actually what the system function is doing is not 'quoting' the parameters but directly supplying them to the OS exec call.
    Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, (...)
    While qx supplies the command to the shell for parsing for arguments. And this happens in the 'only one scalar argument' case above too (which I cut out for brevity).

    You might try to look at IPC::Open2 or IPC::Open3 functions. They can be called in simmilar fashions as system.

      If such a call exists. Under some OSes it does quote parameters (and then crosses fingers). It's true though that the shell is not involved in system($cmd,@params).

      Jenda
      Always code as if the guy who ends up maintaining your code will be a violent psychopath who knows where you live.
         -- Rick Osborne

      Edit by castaway: Closed small tag in signature

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://296183]
Approved by zby
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others having an uproarious good time at the Monastery: (12)
As of 2014-12-21 14:31 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (106 votes), past polls