Re^3: Safely passing CGI form data to a shell command

I can't get around this error and stfw and rtfm is yielding no help.

Can someone help me decipher the error message I'm getting? It's apparently fatal.

Oh, and by the way. I've realized now that system() and exec() are useless to me as neither returns the output of my command. Duhhhhhh.

from http://perldoc.perl.org/functions/system.html
The return value is the exit status of the program as returned by the wait call. To get the actual exit value shift right by eight (see below). See also "exec". This is not what you want to use to capture the output from a command, for that you should use merely backticks or qx// , as described in "`STRING`" at perlop. Return value of -1 indicates a failure to start the program (inspect $! for the reason).

Code:

my(@call) = system($call);

Error:

Insecure dependency in system while running with -T switch

--
Tommy Butler, a.k.a. Tommy

Comment on Re^3: Safely passing CGI form data to a shell command Download Code

Replies are listed 'Best First'.
Re^4: Safely passing CGI form data to a shell command by Tanktalus (Canon) on Apr 21, 2005 at 19:53 UTC
I said in my previous post that "in your case" you should be using IPC::Open2. That is used to capture output from a program (as well as send input, but you can close the writer since you're not sending input) while still allowing a LIST like system and exec to bypass the shell. The taint problem is likely that you didn't resent your environment. Check out perlsec on how to set your environment securely.	[reply]
Re^5: Safely passing CGI form data to a shell command by Tommy (Chaplain) on Apr 21, 2005 at 22:56 UTC
Ended up finally going with IPC::Open3 for it's provision of STDERR readability on the child process. YIPEE! Thanks! Final result (still beta for now, but secured with all suggestions and what info I could find in my research): Enter a term to look up under the "Dictionary & Thesaurus" label -- Tommy Butler, a.k.a. Tommy	[reply]