Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

Re: Perl as a command executor (with hash variable substitution)

by kennethk (Abbot)
on Mar 21, 2013 at 19:20 UTC ( #1024808=note: print w/replies, xml ) Need Help??


in reply to Perl as a command executor (with hash variable substitution)

There are a host of potential problems, security and otherwise, you may have to deal with for this, but let's ignore all those and attack the specific issue you've asked about.

You need Perl to perform variable interpolation on a previously existing string. You can accomplish this using a string eval, after formatting your input like a string to be interpolated. This means escaping potentially problematic characters first like backslashes and previously existing quotes.

my %TEST_HASH = (TEST_KEY => 'TEST_VALUE'); my $cmd = '/bin/touch $TEST_HASH{"TEST_KEY"}'; $cmd =~ s/\\/\\\\/g; $cmd =~ s/"/\\"/g; $cmd = eval qq{"$cmd"} or die $@; print $cmd

Please don't run your intended code on any machine you care about security on, because this is pretty much the definition of injection and privilege escalation.


#11929 First ask yourself `How would I do this without a computer?' Then have the computer do it the same way.

Replies are listed 'Best First'.
Re^2: Perl as a command executor (with hash variable substitution)
by RecursionBane (Beadle) on Mar 21, 2013 at 19:29 UTC
    Thank you! I understand the security risks. These commands will be executed by the logged in user with his/her privileges. I will keep security in memory when attempting to deploy this in scale.

      Please don't deploy this. It's so ... evil.

      Tell us what you want to achieve. I'm pretty sure there are solutions where you don't have to sell your soul.

      McA

      I will keep security in memory when attempting to deploy this in scale.

      Security will, indeed, be but a memory, and a faint one at that.

        Your response made me laugh during a meeting. Thank you for that. :-)

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://1024808]
help
Chatterbox?
[PriNet]: quick question... anyone know how to remove all the existing keys in a %hash ? i've tried several options, but when i re-use the hash, some of the "upper" keys that i don't re-use stick and i can't get them to "remove"

How do I use this? | Other CB clients
Other Users?
Others browsing the Monastery: (2)
As of 2017-06-28 02:46 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How many monitors do you use while coding?















    Results (619 votes). Check out past polls.