http://qs321.pair.com?node_id=1040994

jonadab has asked for the wisdom of the Perl Monks concerning the following question:

Ok, it's been a while since I've been this stumped on a Perl question and resorted to asking for help.

Ultimately, what I'm trying to accomplish here is to get information on any given remote file. I have access to the remote system via ssh and know the file's full path: call that $remotefile

The approach I was thinking of using is like so:

use Net::SSH::Perl; my $ssh = Net::SSH::Perl->new($remotehost); $ssh->login($remoteuser, $remotepassword); my($stdout, $stderr, $exit) = $ssh->cmd(qq[ls -l $remotefile]); # Then parse the info I want from $stdout with an easy regex

But I can't rule out the possibility that the remote filename might contain shell metacharacters.

My immediate thought was, "No problem, I'm sure the CPAN has six different modules for escaping shell metacharacters," but all I seem to be able to find is modules that appear to be intended for escaping strings in program source code (notably, String::Escape) or undoing said escaping (Encode::Escape for instance). To the best of my knowledge, those probably won't do entirely the right thing (e.g., with spaces). Am I correct in assuming that I need something different?

The characteristics of the remote system are known, and are essentially the same as the local system, although they get updates at different times. (Both systems are Debian.)

Thoughts? Other approaches?

-- 
We're working on a multi-year set of freely redistributable Vacation Bible School materials.

Replies are listed 'Best First'.
Re: Getting information about a remote file via SSH: how to escape the filename
by salva (Canon) on Jun 27, 2013 at 12:24 UTC
    Net::OpenSSH can do it for you:
    use Net::OpenSSH; my $ssh = Net::OpenSSH->new($remotehost, user => $remoteuser, password + => $remotepassword); $ssh->die_on_error("unable to connect to remote host"); my ($out, $err) = $ssh->capture2(ls => '-l', $remotefile);

    Another option is to use SFTP:

    use Net::SFTP::Foreign; use Data::Dumper; my $sftp = Net::SFTP::Foreign->new($remotehost, user => $remoteuser, password => $r +emotepassword, autodie => 1); my $attr = $sftp->stat($remotefile); print Dumper $attr;

      Thanks. I will definitely look into Net::OpenSSH; that seems like a good way to go for this project.

Re: Getting information about a remote file via SSH: how to escape the filename
by Happy-the-monk (Canon) on Jun 27, 2013 at 13:17 UTC

    $ssh->cmd(qq[ls -l $remotefile]); # Then parse the info I want from $stdout with an easy regex

    But I can't rule out the possibility that the remote filename might contain shell metacharacters.

    This should do it: $ssh->cmd(qq[ls -l "$remotefile"]);

    Cheers, Sören

    (hooked on the Perl Programming language)

      $remotefile=qq[foo"; rm -Rf /; echo "bar]

        In my particular situation, actively malicious filenames are very unlikely to occur (and if they do, it implies that I have much bigger problems than this program can possibly address or even meaningfully exacerbate).

        However, I still don't want the thing to fail to work correctly if a filename happens for some reason to contain quotation marks.

        $remotefile=qq[foo"; rm -Rf /; echo "bar]

        You'd better untaint your variables, Monk!

        Cheers, Sören

        (hooked on the Perl Programming language)