packetstormer has asked for the wisdom of the Perl Monks concerning the following question:

Hello!

I am having a strange problem when trying to run script via CGI. The code is below and when run as the www-data user at the console the script runs fine. There is no errors in any of the apache logs and there is no errors to screen. Can anyone suggest anything?


#!/usr/bin/perl

use diagnostics;
use warnings;
use strict;
use Expect;
use CGI::Carp qw( fatalsToBrowser );

$|=1;

print "Content-type: text/html\n\n";

my $timeout = 10;
my $user = "mysqladmin";
my $pass = "mysqlpassword";
my $database = "items";
my $backup_path = '/tmp/b2.sql';
my $su_user = "anotheruser";
my $su_password = "password";


# Build su command and env
my $cmd = "su -s /bin/sh";
my $run = "$cmd $su_user -c \"mysqldump -v -u $user --password=$pass $
+database > $backup_path\"";

# Check output on screen - remove when live.
print $run;
print "<br/>";

my $exp = Expect->spawn($run) or die "Cannot spawn command \n";

$exp->expect($timeout, ["Password:"]);
$exp->send("$su_password\n");

[download]

Replies are listed 'Best First'.
Re: Expect CGI problems
by ww (Archbishop) on Aug 15, 2011 at 20:18 UTC

    I'm glassy-eyed at the moment, so can't offer anything directly responsive to your immediate question... but line 27 set off my alarms.

    # Check output on screen - remove when live.

    That's NOT all you need to remove:

    use diagnostics; and use CGI::Carp qw( fatalsToBrowser ); don't belong in a live script; especially fatalsToBrowser. That gives someone with malicious intent information you don't need to offer.

    As to the uname and p/w data in lines 15-20, you'll find numerous threads here on alternate ways to provide better security; as it is, Apache (or whatever server you're using) need only hiccup at just the wrong moment, and you've given away the store; in fact, not just the store, but also the block and city.

    See also those threads dealing with "placeholders" for additional safety tips.

[reply]
[d/l]
[select]
Re: Expect CGI problems
by GrandFather (Saint) on Aug 29, 2011 at 22:25 UTC

    Umm, care to tell us what your "strange problem" is?

    True laziness is hard work
[reply]

Back to Seekers of Perl Wisdom