?
Solved

System command from PERL / Apache

Posted on 2003-03-31
12
Medium Priority
?
240 Views
Last Modified: 2013-12-25
I can not get system commands to run when called form a PERL script running under apache. I am tyring to call an executable called HTMLDOC by calling :

system ('/usr/bin/htmldoc -t pdf14 --webpage '.$filename);

and getting an 500 error rendered in the browser the error_log contains the following

[error] Insecure dependency in system while running with -T switch at /home/www/cgi-perl/topdf.pl line 19

When run from a command line on the server itself it is fine...Yes, PerlTaintMode is on

However I can not even run the following, which I think may be more symtomatic of the problem:

#!/usr/bin/perl -W
$ENV{'PATH'}  = '/bin:/usr/bin:/sbin:/usr/sbin:/usr/local/bin';
$ENV{'IFS'}   = '';
$ENV{'SHELL'} = '/bin/bash';

use CGI qw/:standard/;
use strict;

select(STDOUT); $| = 1;

print "Content-Type: text/plain\n\n";

print <<EOM;
<html><BODY>
EOM
print "<h1> test started </h1>\n  <pre>\n";
system ('/bin/ls /home/<User Share Name>/');
print <<EOH;
</BODY></HTML>
EOH
exit;

This doesn't render a 500 error, but it doesn't actaully render the directory listing as expected - again from the command line no problem. I have read all manner of FAQ, and previous posts but haven't found what I need

Please Help

0
Comment
Question by:davenelson
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 6
  • 6
12 Comments
 
LVL 51

Accepted Solution

by:
ahoffmann earned 225 total points
ID: 8254178
you need to use untainted variables in all system() calls, in this example $filename might be the culprit.

BTW, the posted perl script does not have the -T option, so it will work always, but your CGI seems to have this option
0
 

Author Comment

by:davenelson
ID: 8259611
I should have updated the question... I have made a little progress. As you suggest I have untainted variables, so not recieving those error messages any more. The problem is that between apache & perl it simply does not render anything from the system call.

Your help is really appreciated
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8260040
> .. perl it simply does not render anything from the system call.

what do you mean by that? Can't follow ...
0
Get real performance insights from real users

Key features:
- Total Pages Views and Load times
- Top Pages Viewed and Load Times
- Real Time Site Page Build Performance
- Users’ Browser and Platform Performance
- Geographic User Breakdown
- And more

 
LVL 51

Expert Comment

by:ahoffmann
ID: 8260059
hmm, or do you probaly have in your httpd.conf:

PerlTaintCheck  On
0
 

Author Comment

by:davenelson
ID: 8260068
The webpage that the browser gets from the server has the followign html:

Content-Type: text/plain

<html>
<BODY>
<h1>HEADER</h1>
<h1> test started </h1>
  <pre>
<HR>
</BODY>
</HTML>

Yet if called from the command line the following is returned to screen:

Content-Type: text/plain

<html>
<BODY>
<h1>HEADER</h1>
<h1> test started </h1>
  <pre>
bin  cgi-perl  cgi-php  CVS  CVSROOT  doc  lib  lib-php  log  mail  sql  www
<HR>
</BODY>
</HTML>

0
 

Author Comment

by:davenelson
ID: 8260082
I do have PerlTaintCheck On in teh httpd.conf however I felt that I had eliminated that as the problem. In my original script I had untainted the input, however in the more simple example I avoid any user input anyway, so tainting shouldn't be an issue at all
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8261178
> .. so tainting shouldn't be an issue at all
wrong.
Perl is clever enough to stop executing when it detects potential programming errors ;-)
When there is taint check, then any system-call which modifies data somehow, must be done with tainted variables.
0
 

Author Comment

by:davenelson
ID: 8261300
At the point of an error though I would've thought that I would see something in the apache error log, however I get nothing; that and the fact that this works from the command line suggests to me that this is more of an issue with Apache & PERL setup rather than the tainting of input in the developers code.
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8261375
> .. s more of an issue with Apache & PERL setup rather than the tainting of input ..
both, or either, or depends on your view of the problem.

is PerlTaintCheck still set On for apache? then you need to untaint variable appropriate, even if there is no -T in the script itself.
0
 

Author Comment

by:davenelson
ID: 8261431
I have solved it - that said, I would still like you to have the points, as I have learnt something from you here.

What I have done is to replace the system("") with backticks, then preceeded it with a print command. I also had a read around in my very old perl book and added in the header and start_html function i.e.

#!/usr/bin/perl
$ENV{'PATH'}  = '/bin:/usr/bin';
$ENV{'IFS'}   = '';
$ENV{'SHELL'} = '/bin/bash';


use CGI qw/:standard/;
use strict;

select (STDOUT); $| = 1;

print header ("test/plain");
start_html;
print "<HTML><HEAD></HEAD><BODY>";
print "<H1>Test started </H1>";
print `/bin/ls /home/www`;
print "<H1>Test Ended</H1><HR></BODY></HTML>";
exit;

No errors - it works - I am happy :)

Are you satisfied that I haven't just hidden a problem rather than solving it ?
0
 
LVL 51

Expert Comment

by:ahoffmann
ID: 8262417
well, no anything is ok, 'cause it is a fixed string ;-)
0
 

Author Comment

by:davenelson
ID: 8262721
Thanks again
:)
0

Featured Post

PowerShell Core for Advanced Linux Administrators

Understand advanced principals around Powershell Core with a focus on the Linux Administrator.  This course covers how to administer numerous environments across multiple platforms including Linux, Azure, AWS, and Google Cloud from a single shell instance.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

If you get a (Blue Screen of Death), your system writes a small file called a minidump. Your first step is to make certain your computer is setup to record memory dumps. Right click My Computer, choose properties. Click on the advanced tab, an…
It is becoming increasingly popular to have a front-page slider on a web site. Nearly every TV website,  magazine or online news has one on their site, and even some e-commerce sites have one. Today you can use sliders with Joomla, WordPress or …
Learn the basics of lists in Python. Lists, as their name suggests, are a means for ordering and storing values. : Lists are declared using brackets; for example: t = [1, 2, 3]: Lists may contain a mix of data types; for example: t = ['string', 1, T…
This tutorial will teach you the core code needed to finalize the addition of a watermark to your image. The viewer will use a small PHP class to learn and create a watermark.
Suggested Courses

771 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question