Beefy Boxes and Bandwidth Generously Provided by pair Networks
No such thing as a small change

Using SSH and SCP in a perl script with taint flag

by stefl (Acolyte)
on May 28, 2015 at 14:38 UTC ( #1128143=perlquestion: print w/replies, xml ) Need Help??

stefl has asked for the wisdom of the Perl Monks concerning the following question:

Hi wise monks, after several days of going in circles I would like some help.
I have a webform (CGI) that I am developing, and after the user fills in various parts of the form, I need to copy a file from one server to another. I have a short sample code (that isn't CGI-based but may illustrate my problem) below:

#!/usr/bin/perl -w -T use Net::SSH::Expect; my $ssh = Net::SSH::Expect->new ( host => "<IP>", user => "<username>", raw_pty => 1 ); $ssh->run_ssh() or die "SSH Process couldn't start: $!"; $ssh->exec("stty raw -echo"); my $who = $ssh->exec("whoami"); print ($who); my $scp = "scp <file> <username>\@<IP Address>:<destinationpath>; $ssh->exec($scp) or die "SCP Process error: $!";

I understand that the taint flag isn't necessary in this short example, but it is required for the main application and I believe is causing most of my problems.
Prior to this attempt, I have also tried using system() to run the scp:

system('ssh <user>\@<IP> scp $file <user2>\@<Destination IP>:<destinat +ion path>');

This involved untainting all variables before this call. This attempt resulted in a slew of errors ("Can't exec 'ssh': No such file or directory", "sh: 1: ssh: not found").
I had read (although I may be wrong) that the Net::SSH::Expect module does not have full support for taint mode.
Also, as the script is generally being run from the web, the user for the commands is www-data (I don't know exactly what relevance this has, but it seems to be important, at least in my debugging attempts).
Thank you very much for any help or advice you can give. If more information is needed, I'm happy to provide it (I just can't think of anything else to include at the moment). Cheers!

Replies are listed 'Best First'.
Re: Using SSH and SCP in a perl script with taint flag
by salva (Canon) on May 28, 2015 at 16:09 UTC

      Hi Salva, thanks for your reply. I've read through the documentation for OpenSSH and it seems like a much better method than my current attempts. I'm getting really confused though with the examples in the documentation, and my own attempts aren't going well. Would you be able to help further? My current code sample is below.

      #!/usr/bin/perl -wT use Net::OpenSSH; $ENV{PATH} = "/bin"; my $ssh = Net::OpenSSH->new("<IP>", user => "<username>", password => +"<password>"); $ssh->error and die "Can't ssh to host: " . $ssh->error; $ssh->system('whoami')or die "whoami failed: " .$ssh->error;

      I should say, I have tried this without the password bit (as I use private key authentication) as well, and I have tried using syntax such as  my $ssh = Net::OpenSSH->new("<user>\@<Host IP>");.
      I get the following error:

      Can't exec "ssh": No such file or directory at /usr/share/perl5/Net/Op line 731. Can't ssh to host: unable to establish master SSH connection: master p +rocess exited unexpectedly
      Do you have any further advice?
      Thanks very much again! Really appreciate your help.

        The problem is that the OpenSSH client ssh is not in the scrawny path you are using. Try adding /usr/bin too:
        $ENV{PATH} = "/bin:/usr/bin";
Re: Using SSH and SCP in a perl script with taint flag
by herveus (Parson) on May 28, 2015 at 15:40 UTC

    Is $ENV{PATH} properly set? The errors from the system call lead my thoughts there.


      Thanks for replying! In my full application code, I have $ENV{PATH} = "/bin"; but I'm not sure if this is sufficient (I'm still new to perl). Would that meet the requirement, or is there something else I need to consider?
      Edit: I should say as well, I added that line to my test code and got the following error: "Cannot exec(ssh -e none <username>@<IP>): No such file or directory"


        That would suggest that your PATH is lacking. Try "which ssh" from a command line to sort out where it actually is. Setting PATH explicitly as you do is something you have to do in taint mode; you just need to make sure you put everything in or invoke it with a full path.


Log In?

What's my password?
Create A New User
Domain Nodelet?
Node Status?
node history
Node Type: perlquestion [id://1128143]
Approved by jellisii2
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others exploiting the Monastery: (7)
As of 2022-05-25 09:55 GMT
Find Nodes?
    Voting Booth?
    Do you prefer to work remotely?

    Results (90 votes). Check out past polls.