Gossamer Forum: General: Perl Programming: Call shell script from perl

Jan 15, 2002, 3:31 AM

yogi

Veteran (2199 posts)

Jan 15, 2002, 3:31 AM

Post #1 of 13

Shortcut

Call shell script from perl

I want to call a shell script from one of my perl scripts. There are some arguments I want to pass to the script. To be more precise, I have a user input
for $query and I have the following statement

Code:
$ENV{'QUERY_STRING'} = "query=$query"; 

# Run script 

system("$dir/searchscript.sh");

Is that secure? (Well, probably not...) How would I have to "escape" $query so that the command becomes more secure.

Thanks a lot.

Ivan
-----
Iyengar Yoga Resources / GT Plugins

Jan 15, 2002, 3:34 AM

Paul

Veteran (19537 posts)

Jan 15, 2002, 3:34 AM

Post #2 of 13

Shortcut

Re: [yogi] Call shell script from perl In reply to

If you used CGI.pm then you wouldn't need to use $ENV{QUERY_STRING} and could use $obj->escape

Last edited by:

RedRum: Jan 15, 2002, 3:35 AM

Jan 15, 2002, 6:27 AM

Mark Badolato

Veteran (1509 posts)

Jan 15, 2002, 6:27 AM

Post #3 of 13

Shortcut

Re: [RedRum] Call shell script from perl In reply to

So out of curiosity, how would that help anything if I send "rm -rf *" in with the query string? All it would do is escape a couple of chartcters, which would still get executed the way I want when it gets to command line. [yes, I've oversimplified, but that's is the jist of it]. [edit...didn't mean that to sound like i was picking on you --mark]

Bottom line, not only is what is being requested insecure, but outright dangerous. User supplied input should almost never be passed to system functions. For the times it HAS to be, extreme measures should be taken, and even then I would still worry. That's one of the most dangerous aspects of CGI scripts. Someone malicious WILL find a way to exploit that.

My advice to the OP is the find a better solution then what you are asking. Trust me. :)

--mark

Last edited by:

Mark Badolato: Jan 15, 2002, 6:29 AM

Jan 15, 2002, 6:38 AM

Wil

Veteran / Moderator (4108 posts)

Jan 15, 2002, 6:38 AM

Post #4 of 13

Shortcut

Re: [Mark Badolato] Call shell script from perl In reply to

Totally agree wtih you Mark. If you =have= to use the shell with Perl, then try removing all mercharacters manually. This snippet will onyl save characters you're happy with:

Code:
$query =~ tr/a-zA-Z0-9+&\t\@ //cd;

However, the best approach is to check incoming data for the exact patter you're expecting. If it doesn't match, then complain bitterly and exit.

You could also try taint. Pass a -T flag to the interpreter and read up on taint in the perldocs. This, in it's basic form, requires you to have sent incoming data through a strict regex before it passes it to any shell. Otherwise, Perl will throw an error.

- wil

Last edited by:

Wil: Jan 15, 2002, 6:39 AM

Jan 15, 2002, 6:40 AM

Paul

Veteran (19537 posts)

Jan 15, 2002, 6:40 AM

Post #5 of 13

Shortcut

Re: [Mark Badolato] Call shell script from perl In reply to

My bad. Hmm can't believe I missed it too.

Jan 15, 2002, 6:41 AM

Paul

Veteran (19537 posts)

Jan 15, 2002, 6:41 AM

Post #6 of 13

Shortcut

Post deleted by RedRum In reply to

Last edited by:

RedRum: Jan 15, 2002, 6:44 AM

Jan 15, 2002, 6:50 AM

GClemmons

User / Moderator (314 posts)

Jan 15, 2002, 6:50 AM

Post #7 of 13

Shortcut

Re: [yogi] Call shell script from perl In reply to

yeah, you have to be careful with that one. depending on how you use the variable in your shell script it could be very dangerous.

for instance, if your script is just:

#!/bin/sh

echo $QUERY_STRING;

chances are you'll be ok. you can throw pipes and semicolons all day long and it just sees it as a string to spit out.

however if you called another script from within the shell script and passed in the key/value pairs as arguments you could be in real trouble.

my personal favorite command for these situations is:

chmod -R a-x /*

oh, and if you test that, i have no responsibility ;)

-g

s/(\d{2})/chr($1)/ge + print if $_ = '8284703280698276687967';

Jan 15, 2002, 6:50 AM

Wil

Veteran / Moderator (4108 posts)

Jan 15, 2002, 6:50 AM

Post #8 of 13

Shortcut

Re: [GClemmons] Call shell script from perl In reply to

Good to see you again, stranger!

- wil

Jan 15, 2002, 6:51 AM

Paul

Veteran (19537 posts)

Jan 15, 2002, 6:51 AM

Post #9 of 13

Shortcut

Re: [GClemmons] Call shell script from perl In reply to

Hey good to see you....you've not been around for a long time.

Last edited by:

RedRum: Jan 15, 2002, 6:53 AM

Jan 15, 2002, 6:55 AM

GClemmons

User / Moderator (314 posts)

Jan 15, 2002, 6:55 AM

Post #10 of 13

Shortcut

Re: [RedRum] Call shell script from perl In reply to

thanks, i've been trying my best to get out of middle-ware hell and into game development so i've been a bit disconnected.

glad to see gossamer is still going strong.

-g

Jan 15, 2002, 7:12 AM

yogi

Veteran (2199 posts)

Jan 15, 2002, 7:12 AM

Post #11 of 13

Shortcut

Re: [GClemmons] Call shell script from perl In reply to

Thanks for you answers.

The script I want to call is htsearch, part of the ht://dig search engine. I am calling it inside a perl script, and want to process the output in my perl script. Basically, the script outputs html (depending on how you configure it).

I guess the system call is as secure as the htsearch script. At the moment, I am manually setting the $ENV{'QUERY_STRING'} variable and calling htdig from within my perl script (the perl script runs with the permissions of the webserver). It seems to me that this is just the secure (or insecure) as running it directly from a browser.

Ivan
-----
Iyengar Yoga Resources / GT Plugins

Jan 15, 2002, 7:20 AM

Paul

Veteran (19537 posts)

Jan 15, 2002, 7:20 AM

Post #12 of 13

Shortcut

Re: [GClemmons] Call shell script from perl In reply to

>>
chmod -R a-x /*

oh, and if you test that, i have no responsibility ;)
<<

Im guessing it craps up your file permissions recursively from the root?

That means you need to be root though?

Last edited by:

RedRum: Jan 15, 2002, 7:21 AM

Jan 15, 2002, 7:28 AM

Wil

Veteran / Moderator (4108 posts)

Jan 15, 2002, 7:28 AM

Post #13 of 13

Shortcut

Re: [RedRum] Call shell script from perl In reply to

Quote:

Popular Cock ups With Permissions
Handle permissions with care! They are an integral part of GNU/Linux' security concept and may cause you some trouble if applied thoughtlessly. Some examples:

chmod -R a-x text. This is a very popular one. You have copied a directory called 'text' from a MS-Windows® partition. Due to discrepancies in file handling all the files in this directory have the execution bit set (x). "No problem" you think and execute this command. Next time you want to switch into this directory, you just get

bash: cd: text: Permission denied

You 'su' to the root account and try again:

bash: cd: text: Permission denied

What the ...? Well, you did not only removed the execution bit from the files in the 'text' directory but also from the directory itself! Which means that no one - even 'root' - is allowed to go into this directory anymore!

http://www.mandrakeuser.org/...basics/bpermis2.html

- wil

Last edited by:

Wil: Jan 15, 2002, 7:28 AM