[Buffalo-pm] Asterisk Wildcard When Running Command viaExec...

DANIEL MAGNUSZEWSKI dmagnuszewski at mandtbank.com
Thu Jul 6 12:35:54 PDT 2006 

P.S - I am using the following regex to certify the input as valid:

$cgi->param('host') =~ /^[\w\d\-]+$/

...would this make it safe to pass through the shell? Or is there still
a way to circumvent this input check?

-Dan

>>> "DANIEL MAGNUSZEWSKI" <dmagnuszewski at mandtbank.com> 07/06/06 3:28
PM >>>
Yeah, I'm trying to not run it through the shell, as it's a CGI
application...

I tried the:

exec ("/bin/grep", "$wordToFind", glob "/var/adm/messages*");

...but it didn't work. Do I need to include "use File::Glob ':glob';"?
This is running on a solaris 8 machine.

Thoughts?


>>> "Kevin Eye" <eye at buffalo.edu> 07/06/06 2:42 PM >>>
This is a feature -- when you use more than one arg with system or
exec, it
doesn't send the arguments through the shell, so that things like
spaces in
filenames and maliciously coded input doing unexpected things.
Wildcard
expansion, IO redirection and other nifty things are done by the
shell,
though, so you don't get them anymore.

One way to get the behavior you want would be to use one long string
argument to exec like this:
exec("/bin/grep $wordToFind /var/adm/messages*");

That will run it though the shell, expanding the wildcard, but also
possibly
doing very bad things if $wordToFind isn't always safely escaped.

A better way is to use the glob function, which expands asterisks on
file
names. Try this:
exec ("/bin/grep", "$wordToFind", glob "/var/adm/messages*");

 - Kevin


On 7/6/06 2:34 PM, "DANIEL MAGNUSZEWSKI" <dmagnuszewski at mandtbank.com>
wrote:

> Mongers,
> 
> I am trying to grep from multiple files, named: messages,
messages.0,
> messages.1, messages.2, etc. What I'd like to do is grep through all
of
> these at once. The command to do this is:
> 
> grep <wordToFind> /var/adm/messages*
> 
> So what I've tried doing is the following:
> 
> my $wordToFind = 'router1';
> open (PROGRAM, "-|")  or exec ("/bin/grep", "$wordToFind",
> "/var/adm/messages*");
> 
> The asterisk seems to break, and I get no information. When I remove
> the asterisk:
> 
> my $wordToFind = 'router1';
> open (PROGRAM, "-|")  or exec ("/bin/grep", "$wordToFind",
> "/var/adm/messages");
> 
> ...then everything works fine, but only greps through that one file.
> How can I declare a wildcard within this code - if at all?
> 
> Thanks.
> 
> -Dan
> 
> _______________________________________________
> Buffalo Perl Mongers Homepage
> http://buffalo.pm.org 
> 
> Buffalo-pm mailing list
> Buffalo-pm at pm.org 
> http://mail.pm.org/mailman/listinfo/buffalo-pm 

-- 
Kevin Eye
Web Applications Developer
Marketing and Creative Services
University at Buffalo
330 Crofts Hall
Buffalo, NY 14260
eye at buffalo.edu 
phone (716) 645-5000 x1435
fax (716) 645-3765




_______________________________________________
Buffalo Perl Mongers Homepage
http://buffalo.pm.org 

Buffalo-pm mailing list
Buffalo-pm at pm.org 
http://mail.pm.org/mailman/listinfo/buffalo-pm

More information about the Buffalo-pm mailing list