Beefy Boxes and Bandwidth Generously Provided by pair Networks
XP is just a number
 
PerlMonks  

Re: Safely capturing the output of an external program

by LanX (Sage)
on Mar 09, 2020 at 00:00 UTC ( #11113991=note: print w/replies, xml ) Need Help??


in reply to Safely capturing the output of an external program

update

Nevermind I misread your question as already having the path. Sorry.

update

Maybe have a look at IPC::Open3 and IPC::Run

The latter is explicitly talking about avoiding the shell and both offer passing arguments explicitly.

Untested!

Hi

I'm not aware of safe placeholder invocations, and the variety of possible CLI arguments is huge.

But you could consider to examine and untaint your file argument.

-e $file should tell you if it exists (hence not work with evil injections) and examining the path should tell you if it's inside an allowed location.

Cheers Rolf
(addicted to the Perl Programming Language :)
Wikisyntax for the Monastery

Replies are listed 'Best First'.
Re^2: Safely capturing the output of an external program
by AppleFritter (Vicar) on Mar 09, 2020 at 07:58 UTC
    Untainting might work though; if the filename matches, say, q/^[A-Za-z0-9]+\.tfm$/, it's probably safe to pass it through any shell. But I've never liked that approach, and "probably" is a dangerous word.
[reply]
[d/l]
      > Untainting might work though;

      In this case I'd additionally surround arguments with 'singlequotes' .

      Your untainting demo is explicitly forbidding quotes, in other cases escape them.

      Cheers Rolf
      (addicted to the Perl Programming Language :)
      Wikisyntax for the Monastery

[reply]
[d/l]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://11113991]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others taking refuge in the Monastery: (6)
As of 2023-06-10 21:41 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?
    How often do you go to conferences?






    Results (39 votes). Check out past polls.
    Notices?