Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

How to execute a shell command from a CGI script

by antovinraj
on Aug 21, 2014 at 06:44 UTC ( #1098193=perlquestion: print w/replies, xml ) Need Help??

antovinraj has asked for the wisdom of the Perl Monks concerning the following question:

Hi All,

I want to access all the changes submitted in perforce and to display in the web page for a particular user. CGI Script:
#!/usr/bin/perl -wT use CGI; $cgi = CGI->new; print $cgi->header; print <<EndOfHTML; <form action="post.cgi" method="POST"> <table> <tr><td>Perforce User</td> <td><select size="1" name="user"> <option name="antoine">antoine</option></select> </td></tr> <tr> <td>Start Date</td><td><input name=startdate></td> </tr><tr> <td>End Date</td><td><input name=enddate></td> </tr><tr> <td colspan=2 align=\"center\"><input type=\"submit\" value=\"Sub +mit\"></td> </tr></table></form>"; EndOfHTML
post.cgi:
#!/usr/bin/perl -w use CGI; $ENV{ 'PATH' } = '/bin:/usr/bin:/usr/local/bin'; delete @ENV{ 'IFS', 'CDPATH', 'ENV', 'BASH_ENV' }; print header; my %form; foreach my $p (param()) { $form{$p} = param($p); } my $user = $form{'user'}; my $output = system ("sudo -i -u avinodh p4 changes -u $user > /tmp/$u +ser"); print $output; print "The active user is: ", `whoami`; print end_html;

When we execute the script in the browser it is giving output as "256The active user is: www-data". Please provide your inputs. Thank You Antoine.

Replies are listed 'Best First'.
Re: How to execute a shell command from a CGI script
by hippo (Bishop) on Aug 21, 2014 at 10:16 UTC

    system returns the exit status of the command being run. Compare that against backticks (or the qx equivalent) which return the output of the command being run.

    But, please note the contributions by my learned brethren exhorting you to greater care over validation and cleansing of your inputs. You are using taint mode, which is good, but you are using it on entirely the wrong script. post.cgi is the one where taint mode will have the greater effect.

Holy Security Hole Batman!
by blue_cowdawg (Monsignor) on Aug 21, 2014 at 16:22 UTC

    I am having severe ogita about that bit of code. You have created a security hole I could drive a truck through. Running sudo from a CGI script is a bad bad idea. Think of a way of doing this without the sudo.


    Peter L. Berghold -- Unix Professional
    Peter -at- Berghold -dot- Net; Blog: http://blog.berghold.net Warning: No political correctness allowed.
Re: How to execute a shell command from a CGI script
by Anonymous Monk on Aug 21, 2014 at 06:48 UTC
    Why are you not validating   my $user = $form{'user'};? Thats dangerous
      I have been validating in the script whether any null values are there. I have removed that code, so that it can easily understand.
        ; rm -rf / is much more dangerous than a null value.
        لսႽ ᥲᥒ⚪⟊Ⴙᘓᖇ Ꮅᘓᖇ⎱ Ⴙᥲ𝇋ƙᘓᖇ

        You are missing the more serious point. A null value is the least of your concerns, imagine what commands someone could make this run, and you execute them via sudo!

Re: How to execute a shell command from a CGI script
by CountZero (Bishop) on Aug 22, 2014 at 06:20 UTC
    post.cgi seems to do exactly what you ask it to do and the output you mention is exactly as one should expect to see.

    So what is your problem?

    CountZero

    A program should be light and agile, its subroutines connected like a string of pearls. The spirit and intent of the program should be retained throughout. There should be neither too little or too much, neither needless loops nor useless variables, neither lack of structure nor overwhelming rigidity." - The Tao of Programming, 4.1 - Geoffrey James

    My blog: Imperial Deltronics

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1098193]
Approved by marto
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others cooling their heels in the Monastery: (3)
As of 2021-11-28 05:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found

    Notices?