Running a Shell Program from CGI page

sauravrout has asked for the wisdom of the Perl Monks concerning the following question:

Hi Monks, I am collecting params from a page and passing it to a shell script. However, I am not getting any error while executing, but the the shell script is not getting executed. I need help on this. I tried different methods, but nothing seems to work.

#!/u001/dev/edw/common/ul/bin/perl
#----------------------------------------------------
# Author: Saurav Rout
#----------------------------------------------------
use Time::Local;
use Date::Calc qw(Delta_DHMS);
use CGI qw(:standard);
use Scalar::Util qw(looks_like_number);
use CGI::Carp qw/fatalsToBrowser warningsToBrowser/;

my $q = new CGI;
my $appname = $q->param('App_name');
my $email = $q->param('Email_id');
my $table = $q->param('Table_name');

open(OUT, ">/tmp/table_list.lst") or die "Couldn't open output file: $
+!";
print OUT $table."\n";
close(OUT);

my $cmd = '/u001/dev/edw/common/ul/cgi-bin/car/code_gen.ksh $appname /
+tmp/tablelist.lst "$email"';
$result = `code_gen.ksh $appname /tmp/table_list.lst "$email"`;

print header;
print start_html("Results");
print<<"end_of_html";
<html>
  <body>
<h2>Thank You for using this tool. Your code is on its way to the emai
+l id specifed in the previous page.$appname, $email</h2>
<h2>Open the JIL file, edit the calendar related values (Date & time),
+ then upload/move it to unix for futher usage.</h2>
    <p>
      Let me know if you see any scope of enhancement in this tool. -S
+aurav Rout(Saurav.S.Rout\@google.com)
    </p>
  </body>
</html>
end_of_html

print end_html;
[download]

Comment on Running a Shell Program from CGI page Download Code

Replies are listed 'Best First'.
Re: Running a Shell Program from CGI page by Corion (Patriarch) on Oct 30, 2015 at 11:57 UTC
You're never using the value of `$cmd`. Maye you wanted $result = `$cmd`; ?	[reply] [d/l] [select]
Re: Running a Shell Program from CGI page by NetWallah (Canon) on Oct 30, 2015 at 17:29 UTC
You should also check the exit status of the external command run. You can get that by querying: `if (my $exitstatus=($?>> 8 ) == 0){ # All is well }else{ die "ERROR: Returned $exitstatus from shell"; }` [download] See "$CHILD_ERROR or $?" in perlvar. The best defense against logic is ignorance.	[reply] [d/l]
Re: Running a Shell Program from CGI page by hippo (Archbishop) on Oct 31, 2015 at 15:01 UTC
Let me know if you see any scope of enhancement Let's suppose for a moment that this script is called with a value for the App_name parameter of '`;rm -rf ~`', what do you suppose would happen? That would be bad enough but who knows what other access you are opening up to the potential miscreants. There's no point going into great detail here about how to fix this since there are thousands of tutorials on the web (not least the section "Don't Let User Data Near the Shell" from Ovid's CGI course which you would do well to read). But, if this is an actual CGI script on an actual webserver, take it down right now before it lets all the hordes of bad guys in. Other things which could use attention: You should use strict. You should use warnings. You should use taint mode as recommended by Ovid's course (and read the rest of perlsec while you're there). You should avoid loading modules which you don't use (Date::Calc, Scalar::Util, Time::Local). Heed the recommendation in the CGI documentation and avoid using the HTML-generating code. You assign values to some variables (`$cmd`, `$result`) but then never subsequently refer to them. This is best avoided. Don't use backticks if you aren't going to use STDOUT from the subprocess (see previous point about not using `$result`). Pay heed to the interpolation rules - the value of `$cmd` is probably not what you think. If you can correct all of these concerns there is every chance that you will have solved your original problem as a consequence. Good luck.	[reply] [d/l] [select]
Re: Running a Shell Program from CGI page by Anonymous Monk on Oct 31, 2015 at 02:30 UTC
it worked for me when I gave the absolute path. $result = `code_gen.ksh $appname /tmp/table_list.lst "$email"`; [download]	[reply] [d/l]