Re: Calling perl from CGI

Replies are listed 'Best First'.
Re^2: Calling perl from CGI by PerlRob (Sexton) on Sep 07, 2008 at 04:07 UTC
But if I do this... $result = `/usr/bin/perl -v`; [download] $result gets the version output, and it's all happily displayed on the page. So you're saying the provider is somehow able to tell if a CGI script calls Perl with the -M option in particular?	[reply] [d/l]
Re^3: Calling perl from CGI by Narveson (Chaplain) on Sep 07, 2008 at 05:34 UTC
$result = `/usr/bin/perl -v`; does not contain user-supplied input. User-supplied input is what security-conscious hosts forbid. See perlsec for how it works. Updated: As other respondents have shown, your method would be ineffective even if it did not breach security, so I have deleted my original suggestions for putting an untainted module name between the backticks. The `eval "use $module; 1"` suggestion from lamp, besides having the advantage of actually working, is free of security concerns.	[reply] [d/l] [select]
Re^4: Calling perl from CGI by Anonymous Monk on Sep 07, 2008 at 07:55 UTC
is free of security concerns. Not really :) $module is still tainted, and can be abused in the same way ('`strict; system qw[ rm -rf / ];`')needs to be validated, something like `$module = $1 if /^([a-zA-Z_][a-zA-Z_0-0](?:(?:'\|::)[a-zA-Z_0-0]+))$/ +s; # or $module = $1 if /\A[^\W\d]\w(?:(?:\'\|::)\w+)\z/s;` [download]	[reply] [d/l] [select]
Re^4: Calling perl from CGI by Anonymous Monk on Sep 07, 2008 at 06:20 UTC
Please see Re^3: Calling perl from CGI That approach is fundamentally flawed because it relies on capturing STDOUT, when nothing ever gets printed to stdout.	[reply]
Re^3: Calling perl from CGI by Anonymous Monk on Sep 07, 2008 at 05:28 UTC
You should have `#!/usr/bin/perl -T --` [download] at the top of your code, and you should read perlsec. You should also search for installed: List of installed modules What modules are installed ? Checking to see if a particular Module is installed Finding what modules are installed How do I find out what modules are already installed on my system?	[reply] [d/l]
Re^3: Calling perl from CGI by Anonymous Monk on Sep 07, 2008 at 05:22 UTC
Why not? For all you know, your provider is playing a prank. Ok that was a joke :D Why do you expect your code to work? If there is an error (module not installed), you get no output because qx// doesn't capture stderr (``), and if there is no error (module is installed) you get not output because you print nothing. Example C:\>perl -MCGI -e 1 \|hexdump 00000000; C:\>perl -MCGIs -e 1 \|hexdump Can't locate CGIs.pm in @INC (@INC contains: C:/Perl/lib C:/Perl/site/ +lib .). BEGIN failed--compilation aborted. 00000000; C:\>perl -MCGIs -e 1 2>2 C:\>hexdump 2 00000000: 43 61 6E 27 74 20 6C 6F - 63 61 74 65 20 43 47 49 \|Can't loc +ate CGI\| 00000010: 73 2E 70 6D 20 69 6E 20 - 40 49 4E 43 20 28 40 49 \|s.pm in @ +INC (@I\| 00000020: 4E 43 20 63 6F 6E 74 61 - 69 6E 73 3A 20 43 3A 2F \|NC contai +ns: C:/\| 00000030: 50 65 72 6C 2F 6C 69 62 - 20 43 3A 2F 50 65 72 6C \|Perl/lib +C:/Perl\| 00000040: 2F 73 69 74 65 2F 6C 69 - 62 20 2E 29 2E 0D 0A 42 \|/site/lib + .). B\| 00000050: 45 47 49 4E 20 66 61 69 - 6C 65 64 2D 2D 63 6F 6D \|EGIN fail +ed--com\| 00000060: 70 69 6C 61 74 69 6F 6E - 20 61 62 6F 72 74 65 64 \|pilation +aborted\| 00000070: 2E 0D 0A - \|. \| 00000073; C:\> [download] `2>2` redirects stderr to file 2	[reply] [d/l] [select]