Skip to main content.
home | support | download

Back to List Archive

Re: configuring and debugging swish.cgi with IIS

From: Nathan Vonnahme <nathan.vonnahme(at)not-real.bannerhealth.com>
Date: Wed Jun 11 2003 - 22:54:31 GMT
Well, adding the qq["$_"] part makes it work on Windows with filepaths containing spaces, which was my original problem.  And on Windows, that's all you should need to do, because a " is never allowed in a filename (at least, I tried making a file with one several ways and I can't).  

Hrmf.  Well, perldoc perlport has this helpful bit of advice:

"In general, don't directly access the system in code meant to be portable. That means, no system, exec, fork, pipe, ``, qx//, open with a |, nor any of the other things that makes being a perl hacker worth being."

..

I have a theory about IPC::Open3, I will play with it and let you know.

-n


>>> Bill Moseley <moseley@hank.org> 06/11/03 01:21PM >>>
On Tue, Jun 10, 2003 at 04:45:22PM -0600, Nathan Vonnahme wrote:
> > 
> >    my @command = map { s/"/\\"/g; qq["$_"] }  @args;
> yes, that would be perfect.  You could use that line everywhere,
> including doc2txt.pm and pdf2*.pm

Ok, I added that, but it still is not secure, but it's not meant to be.  
It was suppose to preserve quotes used for phrases and spaces in file 
names.

A better way would be to use single quotes on *nix and fallback to
double quotes on Windows.  Or better, write some portable and secure
"run_program()" function that works everywhere. Too many platforms to 
worry about.

The above is easily bypassed by using a backslash in the file name. 
Get a file named something like:

  \"; foo -rf /; \"

and you are in business.  It's a common error seen in many CGI programs 
to try and escape away the shell metas.  The only answer is to know the 
shell only allow known good chars.  Bypass the shell when possible.



-- 
Bill Moseley
moseley@hank.org
Received on Wed Jun 11 22:54:33 2003