davenelson
asked on
System command from PERL / Apache
I can not get system commands to run when called form a PERL script running under apache. I am tyring to call an executable called HTMLDOC by calling :
system ('/usr/bin/htmldoc -t pdf14 --webpage '.$filename);
and getting an 500 error rendered in the browser the error_log contains the following
[error] Insecure dependency in system while running with -T switch at /home/www/cgi-perl/topdf.p l line 19
When run from a command line on the server itself it is fine...Yes, PerlTaintMode is on
However I can not even run the following, which I think may be more symtomatic of the problem:
#!/usr/bin/perl -W
$ENV{'PATH'} = '/bin:/usr/bin:/sbin:/usr/ sbin:/usr/ local/bin' ;
$ENV{'IFS'} = '';
$ENV{'SHELL'} = '/bin/bash';
use CGI qw/:standard/;
use strict;
select(STDOUT); $| = 1;
print "Content-Type: text/plain\n\n";
print <<EOM;
<html><BODY>
EOM
print "<h1> test started </h1>\n <pre>\n";
system ('/bin/ls /home/<User Share Name>/');
print <<EOH;
</BODY></HTML>
EOH
exit;
This doesn't render a 500 error, but it doesn't actaully render the directory listing as expected - again from the command line no problem. I have read all manner of FAQ, and previous posts but haven't found what I need
Please Help
system ('/usr/bin/htmldoc -t pdf14 --webpage '.$filename);
and getting an 500 error rendered in the browser the error_log contains the following
[error] Insecure dependency in system while running with -T switch at /home/www/cgi-perl/topdf.p
When run from a command line on the server itself it is fine...Yes, PerlTaintMode is on
However I can not even run the following, which I think may be more symtomatic of the problem:
#!/usr/bin/perl -W
$ENV{'PATH'} = '/bin:/usr/bin:/sbin:/usr/
$ENV{'IFS'} = '';
$ENV{'SHELL'} = '/bin/bash';
use CGI qw/:standard/;
use strict;
select(STDOUT); $| = 1;
print "Content-Type: text/plain\n\n";
print <<EOM;
<html><BODY>
EOM
print "<h1> test started </h1>\n <pre>\n";
system ('/bin/ls /home/<User Share Name>/');
print <<EOH;
</BODY></HTML>
EOH
exit;
This doesn't render a 500 error, but it doesn't actaully render the directory listing as expected - again from the command line no problem. I have read all manner of FAQ, and previous posts but haven't found what I need
Please Help
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
> .. perl it simply does not render anything from the system call.
what do you mean by that? Can't follow ...
what do you mean by that? Can't follow ...
hmm, or do you probaly have in your httpd.conf:
PerlTaintCheck On
PerlTaintCheck On
ASKER
The webpage that the browser gets from the server has the followign html:
Content-Type: text/plain
<html>
<BODY>
<h1>HEADER</h1>
<h1> test started </h1>
<pre>
<HR>
</BODY>
</HTML>
Yet if called from the command line the following is returned to screen:
Content-Type: text/plain
<html>
<BODY>
<h1>HEADER</h1>
<h1> test started </h1>
<pre>
bin cgi-perl cgi-php CVS CVSROOT doc lib lib-php log mail sql www
<HR>
</BODY>
</HTML>
Content-Type: text/plain
<html>
<BODY>
<h1>HEADER</h1>
<h1> test started </h1>
<pre>
<HR>
</BODY>
</HTML>
Yet if called from the command line the following is returned to screen:
Content-Type: text/plain
<html>
<BODY>
<h1>HEADER</h1>
<h1> test started </h1>
<pre>
bin cgi-perl cgi-php CVS CVSROOT doc lib lib-php log mail sql www
<HR>
</BODY>
</HTML>
ASKER
I do have PerlTaintCheck On in teh httpd.conf however I felt that I had eliminated that as the problem. In my original script I had untainted the input, however in the more simple example I avoid any user input anyway, so tainting shouldn't be an issue at all
> .. so tainting shouldn't be an issue at all
wrong.
Perl is clever enough to stop executing when it detects potential programming errors ;-)
When there is taint check, then any system-call which modifies data somehow, must be done with tainted variables.
wrong.
Perl is clever enough to stop executing when it detects potential programming errors ;-)
When there is taint check, then any system-call which modifies data somehow, must be done with tainted variables.
ASKER
At the point of an error though I would've thought that I would see something in the apache error log, however I get nothing; that and the fact that this works from the command line suggests to me that this is more of an issue with Apache & PERL setup rather than the tainting of input in the developers code.
> .. s more of an issue with Apache & PERL setup rather than the tainting of input ..
both, or either, or depends on your view of the problem.
is PerlTaintCheck still set On for apache? then you need to untaint variable appropriate, even if there is no -T in the script itself.
both, or either, or depends on your view of the problem.
is PerlTaintCheck still set On for apache? then you need to untaint variable appropriate, even if there is no -T in the script itself.
ASKER
I have solved it - that said, I would still like you to have the points, as I have learnt something from you here.
What I have done is to replace the system("") with backticks, then preceeded it with a print command. I also had a read around in my very old perl book and added in the header and start_html function i.e.
#!/usr/bin/perl
$ENV{'PATH'} = '/bin:/usr/bin';
$ENV{'IFS'} = '';
$ENV{'SHELL'} = '/bin/bash';
use CGI qw/:standard/;
use strict;
select (STDOUT); $| = 1;
print header ("test/plain");
start_html;
print "<HTML><HEAD></HEAD><BODY> ";
print "<H1>Test started </H1>";
print `/bin/ls /home/www`;
print "<H1>Test Ended</H1><HR></BODY></HTM L>";
exit;
No errors - it works - I am happy :)
Are you satisfied that I haven't just hidden a problem rather than solving it ?
What I have done is to replace the system("") with backticks, then preceeded it with a print command. I also had a read around in my very old perl book and added in the header and start_html function i.e.
#!/usr/bin/perl
$ENV{'PATH'} = '/bin:/usr/bin';
$ENV{'IFS'} = '';
$ENV{'SHELL'} = '/bin/bash';
use CGI qw/:standard/;
use strict;
select (STDOUT); $| = 1;
print header ("test/plain");
start_html;
print "<HTML><HEAD></HEAD><BODY>
print "<H1>Test started </H1>";
print `/bin/ls /home/www`;
print "<H1>Test Ended</H1><HR></BODY></HTM
exit;
No errors - it works - I am happy :)
Are you satisfied that I haven't just hidden a problem rather than solving it ?
well, no anything is ok, 'cause it is a fixed string ;-)
ASKER
Thanks again
:)
:)
ASKER
Your help is really appreciated