Executing Commands Without Shell Escapes (Perl Cookbook ...

Because Perl was designed as a glue language, it's easy to use it to call other programs—too easy, in some cases. If you're merely trying to run a shell command ... home| O'Reilly'sCDbookshelfs| FreeBSD| Linux| Cisco| CiscoExam   19.5.ExecutingCommandsWithoutShellEscapes 19.5.1.Problem Youneedtousea user'sinputaspartofacommand,butyoudon'twanttoallowthe usertotricktheshellintorunningothercommandsorlookingat otherfiles.Ifyoujustblindlycallthesystem functionorbackticksonasinglestringcontainingacommandline derivedfromuntesteduserinput,theshellmightbeusedtorunthe command.Thiswouldbeunsafe. 19.5.2.Solution Unlikeitssingle-argumentversion,thelistformofthe systemfunctionissafefromshellescapes.When thecommand'sargumentsinvolveuserinputfromaform,neveruse this: system("command$input@files");#UNSAFE Writeitthiswayinstead: system("command",$input,@files);#safer 19.5.3.Discussion BecausePerlwasdesignedasagluelanguage,it'seasytouseitto callotherprograms—tooeasy,insomecases. Ifyou'remerelytryingtorunashellcommandbutdon'tneedto captureitsoutput,it'seasyenoughtocall systemusingitsmultipleargumentform.Butwhat happensifyou'reusingthecommandinbackticksoraspartofa pipedopen?Nowyouhavearealproblem,becausethosedon'tpermit themultipleargumentformthatsystemdoes.The solution(priortov5.8;seelaterinthisDiscussion)istomanually forkandexecthechild processesonyourown.It'smorework,butatleaststrayshell escapeswon'tberuiningyour day. It'ssafetousebackticksinaCGIscriptonlyiftheargumentsyou givetheprogramareinternallygenerated,asin: chomp($now=`date`); Butifthecommandwithinthebacktickscontainsuser-suppliedinput, perhapslikethis: @output=`grep$input@files`; youhavetobemuchmorecareful. die"cannotfork:$!"unlessdefined($pid=open(SAFE_KID,"-|")); if($pid==0){ exec('grep',$input,@files)ordie"can'texecgrep:$!"; }else{ @output=; closeSAFE_KID;#$?containsstatus } Thisworksbecauseexec,like system,permitsacallingconventionthat'simmune toshellescapes.Whenpassedalist,noshelliscalled,andsono escapescanoccur. Similarcircumlocutionsareneededwhenusingopen tostartupacommand.Here'sasafebacktickorpipedopenforread. Insteadofusingthisunsafecode: open(KID_TO_READ,"$program@options@args|");#UNSAFE usethismorecomplicatedbutsafercode: #adderrorprocessingasabove die"cannotfork:$!"unlessdefined($pid=open(KID_TO_READ,"-|")); if($pid){#parent while(){ #dosomethinginteresting } close(KID_TO_READ)orwarn"kidexited$?"; }else{#child #reconfigure,then exec($program,@options,@args)ordie"can'texecprogram:$!"; } Here'sasafepipedopenforwriting.Insteadofusingthisunsafe code: open(KID_TO_WRITE,"|$program$options@args");#UNSAFE usethismorecomplicatedbutsafercode: die"cannotfork:$!"unlessdefined($pid=open(KID_TO_WRITE,"-|")); $SIG{PIPE}=sub{die"whoops,$programpipebroke"}; if($pid){#parent for(@data){printKID_TO_WRITE$_} close(KID_TO_WRITE)orwarn"kidexited$?"; }else{#child #reconfigure,then exec($program,@options,@args)ordie"can'texecprogram:$!"; } Putanyextrasecuritymeasuresyou'dlikewherethecommentinthe codesaysreconfigure.Youcanchangeenvironment variables,resettemporaryuserorgroupIDvalues,change directoriesorumasks,etc.You'reinthechildprocessnow,where changeswon'tpropagatebacktotheparent. Ifyoudon'thaveanyreconfigurationtodointhechildprocess,and you'rerunningatleastthev5.8releaseofPerl, opensupportsalistofseparateparametersthat worksassystemandexecdo whenpassedalist;thatis,itavoidstheshellaltogether.Those twocallswouldbe: open(KID_TO_READ,"-|",$program,@options,@args) ||die"can'trun$program:$!"; and: open(KID_TO_WRITE,"|-",$program,$options,@args) ||die"can'trun$program:$!"; Thisdoesn'thelpyou,ofcourse,ifyourunasetuidprogramthat canbeexploitedwiththedatayougiveit.Themailprogram sendmailisasetuidprogramcommonlyrunfrom CGIscripts.Knowtherisksbeforeyoucall sendmailoranyothersetuidprogram. 19.5.4.SeeAlso Thesystem,exec,and openfunctionsinChapter29of ProgrammingPerlandin perlfunc(1);thesectionon"Talkingto Yourself"inChapter16ofProgrammingPerl; thesectionon"AccessingCommandsandFilesUnderReducedPrivilege" inChapter23ofProgrammingPerl; perlsec(1);Recipe16.1; Recipe16.2;Recipe16.3 19.4.WritingaSafeCGIProgram19.6.FormattingListsandTableswithHTMLShortcuts Copyright©2003O'Reilly&Associates.Allrightsreserved.