Running pscp from cgi-script in Windows

redrafiki has asked for the wisdom of the Perl Monks concerning the following question:

Hello everyone, this is my first post in this site, I'm having problems running pscp.exe from a cgi-script. I have seen some threads about running exes from cgi-script but I haven't found a "standard" solution for it. I have a html form where the user inputs the values, then I form a pscp command with those parameters, like always, the formed command works ok from the command prompt but not from the browser, if I left the T parameter in the script I got: "Insecure dependency in system while running with -T switch at..."; if I remove that switch the page just stays on "Waiting for localhost..." until it times out. I'm using the Apache web server, trying to copy the file to my computer, could this be a running cmd.exe issue? and if it is, how can I get around it?

#!/perl/bin/perl -wT
use CGI qw(:standard);
use CGI::Carp qw(warningsToBrowser fatalsToBrowser);
use strict;

$ENV{'PATH'} = 'C:\\Temp\\';

#Declare the variables
my $result;
my $staging_area = param('staging');
my $directory = param('directory');
my $user_id = param('userid');
my $passwd = param('passwd');
my $store = param('store');

#Attach the store directory to the diectory variable
$directory = $directory . "/" . $store;

#Set the directory where pscp.exe resides
my $pscp_dir = 'C:\\Temp\\';

#Construct the pscp command with the right arguments
my $command = $pscp_dir . "pscp.exe -batch -pw " . $passwd . " " . $us
+er_id . "@" . $staging_area . ":" . $directory . "/" . $store . "*.tg
+z " . $pscp_dir;

#Execute the command
system($command);


if ( $? == -1 )
{
  $result = "command failed: $!\n";
}

print header;
print start_html("Thank You");
print h2("Thank You");
print "$command<br>\n";
print "$result<br>\n";
print end_html;
[download]

Comment on Running pscp from cgi-script in Windows Download Code

Replies are listed 'Best First'.
Re: Running pscp from cgi-script in Windows by VinsWorldcom (Prior) on Oct 26, 2010 at 20:47 UTC
pscp.exe will use a command prompt (cmd.exe) - there is no way (I know) around that. Try Start->Run and enter pscp.exe - it will launch a cmd.exe window and then close. Depending on your web server (I'm assuming IIS on some version of Windows), you will be restricted from running cmd.exe via CGI. I encountered this when we switched from Win2k to Win2k3 and whatever version of IIS that comes with. Batch files that worked fine as CGI scripts suddenly failed due to the locked down access to cmd.exe. I don't know of a way around that - but how about something like Net::SCP or another file transfer method instead of launching an external EXE?	[reply]
Re^2: Running pscp from cgi-script in Windows by redrafiki (Initiate) on Oct 26, 2010 at 22:54 UTC
Thanks Vins, I don't think I can use Net::SCP in Windows, actually I'm not sure if the problem is IIS, since I'm using Apache as web server in my Windows XP computer.	[reply]
Re: Running pscp from cgi-script in Windows by locked_user sundialsvc4 (Abbot) on Oct 26, 2010 at 23:18 UTC
Perl has an unusual and extremely powerful feature known as “taint mode,” which is designed to recognize when user-provided (i.e. “tainted”) inputs are being used in what should be “trustworthy” situations. This feature is especially designed for CGI situations, and is enabled by default most of the time. You need to educate yourself about this facility, and abide by it in your code. With that in mind, I’m really not too comfortable with the notion of having web-initiated code doing a `pscp` ... there is a serious potential for abuse here. I would ponder strategies that would allow the web-server to somehow “pass a request to” another daemon or agent who would be responsible for doing the copy. Something on the order of a “FastCGI” scenario. This would sidestep the very-risky (and therefore, usually prohibited...) scenario of “Apache executing something.”
Re: Running pscp from cgi-script in Windows by umasuresh (Hermit) on Oct 26, 2010 at 20:32 UTC
I would print the command to be executed to see if I have concatenated the string correctly! `print "$command\n";`	[reply] [d/l]
Re: Running pscp from cgi-script in Windows by Plankton (Vicar) on Oct 26, 2010 at 23:23 UTC
You know you might be vulnerable to a cross-site scripting attack. That's what -T is warning you about. What would happen if someone was to figure out how to pass "junk \| del ." as that store parameter. Or even worse something like "whatever \| putty.exe ...". Be sure you are running this on a server that is isolated from the Internet.	[reply]
Re^2: Running pscp from cgi-script in Windows by redrafiki (Initiate) on Oct 27, 2010 at 14:24 UTC
Thanks for your reply guys, the reason we are choosing pscp is because our server is isolated from the internet. The purpose of the script is to get "load" files used to load virtual test boxes. Only me and another administrator are gonna have access to the page in the server to request these load files from the linux boxes (also isolated from the internet). In another Windows server, we installed Filezilla to ftp files using a shell script running in the linux boxes, and then cygwin to do it using ssh. This solution is not possible since we can't install anything in this server, that is why we decided going for the cgi script approach. Thanks	[reply]