I'm wanting to add a dictionary lookup at my website that just directly interfaces with the availabe dict shell command. I also want to do this securely. How should I go about doing this? Not the implementation, but the sanitizing of data before it is passed through to qx// (the shell)?
Basically what I've got so far:
use CGI; use My::QXcall; $cgi = CGI->new(); my(@terms) = $cgi->param('t'); # do stuff sanitize input data, etc. foreach (@terms) { $_ =~ s/(?:^\s)|(?:\s$)//o; # trims leading/trailing whitespace # [other stuff I should be doing would go here...] } # look up terms with dict print QXcall(qq{dict ${\ scalar join(' ', map { "'" . quotemeta($_) . "'" } @terms) }});
Does that code do enough in the way of security? I'm wondering if taint should be figuring in here somewhere...or something(s) else?
...And by the way, here's the non-standard "My" module referenced in the above code if you'd like to see it to get some more context:
package My::QXcall; use strict; use vars qw( $VERSION @ISA @EXPORT ); use Exporter; @ISA = qw( Exporter My ); $VERSION = 0.00_1; # Wed Jun 11 17:14:17 CDT 2003 @EXPORT = qw( QXcall QXstatus QXsignal QXerror QXoserror QXerrli +ne ); our($STAT, $SIG, $ERR, $OSERR, $LINE); sub QXcall { undef($STAT); undef($SIG); undef($ERR); undef($OSERR); undef($LINE); my($call,$errmsg) = @_; my(@call) = `$call`; $STAT = $? >> 8; $SIG = $SIG{ $? & 127 } || $? & 127; if ($STAT) { $OSERR = $^E; $LINE = (caller)[2]||'?'; $ERR = $errmsg ? $errmsg . NL : '' . join("\n",@call) . qq[syscall failed with status $STAT, signal $SIG] . "\n"; } @call } sub QXstatus { $STAT } sub QXsignal { $SIG } sub QXerror { $ERR } sub QXoserror { $OSERR } sub QXerrline { $LINE } 1;
Thanks everyone!
--In reply to Safely passing CGI form data to a shell command by Tommy
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |