Hi Monks
I want to execute some programs from a CGI script. After browsing in perlmonks and reading perlsec,
I found that I can use the following approach:-
die "Can't fork: $!" unless defined $pid = open(KID, "-|");
if ($pid) { # parent
while (<KID>) {
# do something
}
close KID;
} else {
exec 'myprog', 'arg1', 'arg2'
or die "can't exec myprog: $!";
}
I have a shell script whose arguments are the path and the executable
Shell Script:
#!/bin/ksh
# print the arguments for checking
# $1 is the directory
# $2 is the executable
echo $1
echo $2
# change dir to $1
cd $1
# execute $2
$2
echo "Exit"
and I execute that using 'exec' as shown
...
...
$dir = 'some path'; # untainted
$exe = 'some executable'; # untainted
...
...
exec 'unixscript.sh', $dir, $exe
...
...
I am wondering if it is a good idea to execute unix shell scripts with some arguments as shown? I want to use this approach in CGI scripts to run executables from the web. ( Note that the 'executable' is preset inside the CGI script and IS NOT an user input.)
Are there any security issues with this approach?
-
Are you posting in the right place? Check out Where do I post X? to know for sure.
-
Posts may use any of the Perl Monks Approved HTML tags. Currently these include the following:
<code> <a> <b> <big>
<blockquote> <br /> <dd>
<dl> <dt> <em> <font>
<h1> <h2> <h3> <h4>
<h5> <h6> <hr /> <i>
<li> <nbsp> <ol> <p>
<small> <strike> <strong>
<sub> <sup> <table>
<td> <th> <tr> <tt>
<u> <ul>
-
Snippets of code should be wrapped in
<code> tags not
<pre> tags. In fact, <pre>
tags should generally be avoided. If they must
be used, extreme care should be
taken to ensure that their contents do not
have long lines (<70 chars), in order to prevent
horizontal scrolling (and possible janitor
intervention).
-
Want more info? How to link
or How to display code and escape characters
are good places to start.