How to execute a shell command from a CGI script

antovinraj has asked for the wisdom of the Perl Monks concerning the following question:

Hi All,

I want to access all the changes submitted in perforce and to display in the web page for a particular user. CGI Script:

#!/usr/bin/perl -wT
use CGI;
$cgi = CGI->new;
print $cgi->header;

print <<EndOfHTML;
<form action="post.cgi" method="POST">
 <table>
   <tr><td>Perforce User</td>
     <td><select size="1" name="user">
      <option name="antoine">antoine</option></select>
     </td></tr>
   <tr>
     <td>Start Date</td><td><input name=startdate></td>
   </tr><tr>
      <td>End Date</td><td><input name=enddate></td>
    </tr><tr>
     <td colspan=2 align=\"center\"><input type=\"submit\" value=\"Sub
+mit\"></td>
    </tr></table></form>";
EndOfHTML
[download]

post.cgi:

#!/usr/bin/perl -w
use CGI;
$ENV{ 'PATH' } = '/bin:/usr/bin:/usr/local/bin';
delete @ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' };

print header;
my %form;
foreach my $p (param()) {
    $form{$p} = param($p);
}
my $user = $form{'user'};
my $output = system ("sudo -i -u avinodh p4 changes -u $user > /tmp/$u
+ser");
print $output;
print "The active user is: ", `whoami`;
print end_html;
[download]

When we execute the script in the browser it is giving output as "256The active user is: www-data". Please provide your inputs. Thank You Antoine.

Comment on How to execute a shell command from a CGI script Select or Download Code

Replies are listed 'Best First'.
Re: How to execute a shell command from a CGI script by hippo (Bishop) on Aug 21, 2014 at 10:16 UTC
system returns the exit status of the command being run. Compare that against backticks (or the qx equivalent) which return the output of the command being run. But, please note the contributions by my learned brethren exhorting you to greater care over validation and cleansing of your inputs. You are using taint mode, which is good, but you are using it on entirely the wrong script. `post.cgi` is the one where taint mode will have the greater effect.	[reply] [d/l]
Holy Security Hole Batman! by blue_cowdawg (Monsignor) on Aug 21, 2014 at 16:22 UTC
I am having severe ogita about that bit of code. You have created a security hole I could drive a truck through. Running `sudo` from a CGI script is a bad bad idea. Think of a way of doing this without the sudo. Peter L. Berghold -- Unix Professional Peter -at- Berghold -dot- Net; Blog: http://blog.berghold.net Warning: No political correctness allowed.	[reply] [d/l]
Re: How to execute a shell command from a CGI script by Anonymous Monk on Aug 21, 2014 at 06:48 UTC
Why are you not validating `my $user = $form{'user'};`? Thats dangerous	[reply] [d/l]
Re^2: How to execute a shell command from a CGI script by antovinraj (Initiate) on Aug 21, 2014 at 06:51 UTC
I have been validating in the script whether any null values are there. I have removed that code, so that it can easily understand.	[reply]
Re^3: How to execute a shell command from a CGI script by choroba (Cardinal) on Aug 21, 2014 at 07:52 UTC
`; rm -rf /` is much more dangerous than a null value. لսႽ† ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ	[reply] [d/l]
Re^3: How to execute a shell command from a CGI script by marto (Cardinal) on Aug 21, 2014 at 07:54 UTC
You are missing the more serious point. A null value is the least of your concerns, imagine what commands someone could make this run, and you execute them via sudo!	[reply]
Re: How to execute a shell command from a CGI script by CountZero (Bishop) on Aug 22, 2014 at 06:20 UTC
`post.cgi` seems to do exactly what you ask it to do and the output you mention is exactly as one should expect to see. So what is your problem? CountZero A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James My blog: Imperial Deltronics	[reply] [d/l]


XP is just a number
	PerlMonks