Skip to main content.
home | support | download

Back to List Archive

RE: First post from a new user

From: Bas Meijer <bas(at)>
Date: Mon Sep 11 2000 - 19:19:36 GMT
>At 06:43 AM 09/08/00 -0700, Don Hamilton wrote:
>>Thanks for this. Just didn't realize what I was reading. In the mean time,
>>the answer to my other question (is there a cgi for phrase searching with
>>version 2) was just to modify the John's cgi to include single quotes (')
>>around the $query variable in the call to swish-e.
>This statement made me go and take a really quick look at that script.
>Unless I missed something, that script uses tainted data in $query for this
>   open(SWISH, "$swish -w $query -m $results $search_tags -f $index|");
>This is not a safe way of calling swish in a CGI script.  See perldoc
>perlsec and perldoc perlipc and read about "safe pipe opens".
>People do use that above method and clean up the passed parameters rather
>well, but I'd still not recommend that method.  Just fork and exec as
>perlipc suggests.
>A front-end CGI to swish it trivial to write.  If it doesn't seem so then
>you are probably the wrong person to be implementing swish or any Perl cgi
>script.  I'm not trying to be rude, but I say this because you can risking
>the health of your web site and system if you are not careful -- and there
>are a lot of hackers out there that know about these insecure CGI scripts.
>Every perl script running a CGI script should at least start out like this:
>#!/usr/local/bin/perl -wT
>use strict;
>We should take some time and review the scripts available on the Swish-E
>site and remove any that are insecure.
>I'm writing a Perl module interface to swish that will work with both the
>forked and library versions of swish-e.  I'll try to get it loaded to CPAN
>at some time soon.
>Bill Moseley


As Bill posted, and from my research, there are quite some scripts 
that call swish the 'easy' way with a pipe:

open(SWISH, "$swish -w $query -m $results $search_tags -f $index|"); # UNSAFE

if $query is carefully crafted you run the risk of harmful shell escapes.

A better way to call the external (compiled C) program swish-e from 
perl would be the line:

open SWISH, '-|' or exec $swish, '-w', $query, '-m', $results, 
$tflag, $search_tags, '-f', "$swishdir/$index" or exec 'echo', "err: 

When exec gets passed a list, no shell is called and so no shell 
escapes can occur. See the Perl Cookbook from O'Reilly p. 684 for 
more info. I've added the extra part: or exec 'echo', "err: $!";  at 
the end because i want to catch the system error from unix when 
swish-e is not where $swish points to, for instance: not found, 
permission denied, this way both system and swish error messages can 
be handled by the script by looking at the prefix err:.

	while (<SWISH>) {
		if ($_ eq "err: no results") {
		  &search_error("Your Search for $query returned no items");

		if ($_ eq "err: could not open index file") {
		  &search_error("Could not open SWISH Index File $index");

		if ($_ eq "err: no search words specified") {
		  &search_error("Please Enter at least one Search Word");

		if ($_ eq "err: a word is too common"){
		  &search_error("One of your search terms is too 
common, please try again");

	  	if  (/err: (.*)/) {
			&search_error("Swish error: $1");

these are snippets from Lookup

Bas Meijer
Received on Mon Sep 11 19:20:10 2000