Mail Archives: cygwin/2005/06/30/20:03:47
David Vergin wrote:
> system(qq/echo -en "$data_str" | lpr -oraw/);
> ...or whatever
From a security standpoint, this is horrific. Passing user-supplied
data on the command line to a system command is just a recipe for
disaster. I don't understand why you need to use 'echo' to do your
formatting for you when you have perl. If it were me I would just open
the 'lpr' command directly and write the data directly to it from perl,
e.g.
open(FOO, "| lpr -oraw") or die("can't open lpr: $!");
print FOO "printer\ncodes\000";
close(FOO);
This is right out of "perlopentut".
Consider what happens if $data_str equals "x; rm -rf /". You end up
calling the following command:
/bin/sh -c "echo -en x; rm -rf / | lpr -oraw"
...which means you'll get a nice transcript of your entire filesystem
being erased printed to your printer.
> $ echo -en "hello\nworld"
> hello
> world
Here 'echo' is a built-in of the shell you are using, namely bash, and
that shell supports the -en options of the 'echo' builtin.
> $ perl -e 'system(q/echo -en "hello\nworld"/)'
> -en hello\nworld
system() uses the default shell, namely /bin/sh. So this runs /bin/sh
-c "echo -en whatever". /bin/sh on Cygwin is ash, not bash. Ash does
not support the fancy options for its builtin 'echo' command, so you see
them as part of the output. On linux, /bin/sh is bash, so this works.
If you REALLY want to do the above, you should either use /bin/echo
(which is a third implementation of echo seperate from the builtin
version of sh or bash) or you should explicitly call /bin/bash. But you
shouldn't do either of these because passing strings around on the
command line to echo just to format them is a seriously dumb thing to do
when you have perl.
Brian
--
Unsubscribe info: http://cygwin.com/ml/#unsubscribe-simple
Problem reports: http://cygwin.com/problems.html
Documentation: http://cygwin.com/docs.html
FAQ: http://cygwin.com/faq/
- Raw text -