Re: Safely passing CGI form data to a shell command

in order to run the external command, it's safer to fork a new process via open '-|' and then execute the external program as exec @list

# untested
my @out;
my $pid=open my $pipe, '-|';
defined $pid or croak "fork failed";
if ($pid==0) {
  exec $command, $opt1, $opt2, ..., '--', $arg1, $arg2, ...
  exit(0);
}
else {
  @out=<$pipe>
}
[download]

exec @list doesn't use the shell to parse and run the command so you don't need to bother about a malicious user passing things like "hello; rm -rf /"...

well, you have to be sure that the called program doesn't pass its arguments to a shell either!!!

Comment on Re: Safely passing CGI form data to a shell command Download Code

Replies are listed 'Best First'.
Re^2: Safely passing CGI form data to a shell command by Tommy (Chaplain) on Apr 21, 2005 at 17:00 UTC
I'm curious what creating another process accomplishes? Why not just call exec() from within your own process? Could you explain? Thanks! -- Tommy Butler, a.k.a. Tommy	[reply]
Re^3: Safely passing CGI form data to a shell command by salva (Canon) on Apr 21, 2005 at 17:18 UTC
fork and exec is just what qx// does (w/o the shell thing). Calling exec with out forking would not let you capture and postprocess the command output... actually the command output would be sent to the remote browser!	[reply]