Mailing-List: contact cygwin-help AT cygwin DOT com; run by ezmlm
List-Subscribe: <mailto:cygwin-subscribe AT cygwin DOT com>
List-Archive: <http://sourceware.org/ml/cygwin/>
List-Post: <mailto:cygwin AT cygwin DOT com>
List-Help: <mailto:cygwin-help AT cygwin DOT com>, <http://sourceware.org/ml/#faqs>
Sender: cygwin-owner AT cygwin DOT com
Mail-Followup-To: cygwin AT cygwin DOT com
Delivered-To: mailing list cygwin AT cygwin DOT com
Message-ID: <42C488D3.7A683DA9@dessent.net>
Date: Thu, 30 Jun 2005 17:05:39 -0700
From: Brian Dessent <brian AT dessent DOT net>
MIME-Version: 1.0
To: cygwin AT cygwin DOT com
Subject: Re: Trouble Sending  Printer Codes from Perl to Printer
References: <42C48248 DOT 4090404 AT igc DOT org>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: 7bit
X-Spam-Report: -5.9/5.0 ---- Start SpamAssassin results  	* -3.3 ALL_TRUSTED Did not pass through any untrusted hosts 	* -2.6 BAYES_00 BODY: Bayesian spam probability is 0 to 1% 	*      [score: 0.0000] 	*  0.0 AWL AWL: From: address is in the auto white-list 	---- End SpamAssassin results
X-IsSubscribed: yes
Reply-To: cygwin AT cygwin DOT com

David Vergin wrote:

>      system(qq/echo -en "$data_str" | lpr -oraw/);
>      ...or whatever

From a security standpoint, this is horrific.  Passing user-supplied
data on the command line to a system command is just a recipe for
disaster.  I don't understand why you need to use 'echo' to do your
formatting for you when you have perl.  If it were me I would just open
the 'lpr' command directly and write the data directly to it from perl,
e.g.

open(FOO, "| lpr -oraw") or die("can't open lpr: $!");
print FOO "printer\ncodes\000";
close(FOO);

This is right out of "perlopentut".

Consider what happens if $data_str equals "x; rm -rf /".  You end up
calling the following command:

/bin/sh -c "echo -en x; rm -rf / | lpr -oraw"

...which means you'll get a nice transcript of your entire filesystem
being erased printed to your printer.

> $ echo -en "hello\nworld"
> hello
> world

Here 'echo' is a built-in of the shell you are using, namely bash, and
that shell supports the -en options of the 'echo' builtin.

> $ perl -e 'system(q/echo -en "hello\nworld"/)'
> -en hello\nworld

system() uses the default shell, namely /bin/sh.  So this runs /bin/sh
-c "echo -en whatever".  /bin/sh on Cygwin is ash, not bash.  Ash does
not support the fancy options for its builtin 'echo' command, so you see
them as part of the output.  On linux, /bin/sh is bash, so this works.

If you REALLY want to do the above, you should either use /bin/echo
(which is a third implementation of echo seperate from the builtin
version of sh or bash) or you should explicitly call /bin/bash.  But you
shouldn't do either of these because passing strings around on the
command line to echo just to format them is a seriously dumb thing to do
when you have perl.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/