0

Working in PERL, I am trying to run unix command line using variabels parsed from an html form. The following is the HTML form:

<?PHP
if ($_REQUEST['action'] == "submit") {
    $var1 = $_REQUEST['var1'];
    $var2 = $_REQUEST['var2'];
    ** working toward executing script "/usr/lib/cgi-bin/test.pl" with the above variables **
}
?>
<!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Transitional//EN" "http://www.w3.org/TR/xhtml1/DTD/xhtml1-transitional.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <meta http-equiv="Content-Type" content="text/html; charset=utf-8" />
        <title>Test HTML Submit to CGI</title>
    </head>
    <body>
        <form name-"Submit" id="Submit" method="POST">
            <input type="hidden" name="action" value="submit" />
            Input Variable 1<br /><br />
            <input type="text" name="var1"></input><br /><br />
                                 Input Variable 2<br /><br />
            <input type="text" name="var2"></input><br /><br />
            <input type="submit" value="Execute script" />
                      </form>
    </body>
</html>

and I am looking for the right syntax to use these variables to submit a unix command line via a CGI script. I have a test.pl with the following:

use CGI;
$parse = new CGI;
$var1 = $parse->param('var1');
$var2 = $parse->param('var2');
if ($var1) {
    if ($var2) {
       echo "$var1" | UnixCommand --trigger +$var2                                          
    }
}
exit;

I want to execute the script from the submitted form only after some validation Iw ill write into the top of the PHP file. The unix command I am trying to execute in the CGI requires both the quotes around var1 and the + before $var2 to be literal, whichi I presume will require some sort of append within the CGI or escaping to make the text flow correctly. Are there some kind of escape variables I need to use to get the string to execute properly at the command line?

Any help you could provide would be appreciated,

Silver Tiger

Improve this question

2 Answers 2

Reset to default
1 
#!/usr/bin/perl -T
use strictures;
use CGI qw();
use IPC::Run qw(run);
use autodie qw(:all run); # must come after importing 'run'

delete @ENV{qw(PATH IFS CDPATH ENV BASH_ENV)}; # perldoc perlsec

my $cgi = CGI->new;

# parameter restriction/untainting
my ($var1) = ($cgi->param('var1') =~ /\A ([A-Za-z]+) \z/msx);
my ($var2) = ($cgi->param('var2') =~ /\A ([A-Za-z]+) \z/msx);

if (defined $var1 && defined $var2) {
    run # will autodie if return code is wrong
        ['/usr/bin/UnixCommand', '--trigger', '+'.$var2], # command and arguments as list
        \$var1,     # in
        \*STDOUT;   # out
} else {
    die 'invalid parameters';
}
Improve this answer
Sign up to request clarification or add additional context in comments.

5 Comments

I will adjust my CGI to reflect this, and attempt to read through to understand what's being done. thank you for your feedback, I will let you know if I am able to make progress.
It looks like my ubuntu 10.10 doesnt like the items you are using. I installed CPAN to see if I could locate and install these, but are they designed to be used in a win32 system? just trying to get to a state where I can use the provided example above.
I have installed the IPC libraries and am currently working my way through getting this script to execute. Is there a way for me to test this at the unix command line defining the input varibles and am I able to sudo this as it may require more permissions than the default web users to execute...
Indeed, that is explained in the fine CGI manual.
thank you for the info, I will work on this and post my final result when i have it ready.
0

1) Why not use php everywhere?

2) Escape quotes, then use open: 

# replace all quotes/backslashes
$var2 =~ s/(['\\])/'\\$1'/g; 
# open a command (it's popen(3) really) 
open (my $pipe, "|-", "$command '$var2'")
     or die "Cannot open $command: $!";
print $pipe, $var1; # not echo

3) Sidenote: always place 

use warnings;
use strict;

at the beginning of you perl script. You'll have less chances to miss an error.

You can also add $parse->import_names("q"); and then access vars as $q::var1 etc which is IMHO simpler than calling param() all the way.

Improve this answer

4 Comments

on a second note, I was originally trying to use the exec() function in php to do this, but was unable to get it working. I would love to keep this in php. The reason i was having PHP call the script so i could validate and "clean" the variables before i submitted them to the unix command line.
I deleted my first comment, it was scatterbrain. the reason i used "echo" was because the unix command was fully like this - echo "this is my text" | command --options +123456
-1: lacks taint checks; home-grown shell quoting is wrong; does not use list form for popen. Please read perlsec.
@daxim: Thanks for the list open form, I overlooked that.

Your Answer

By clicking “Post Your Answer”, you agree to our terms of service and acknowledge you have read our privacy policy.

Start asking to get answers

Find the answer to your question by asking.

Ask question

Explore related questions

See similar questions with these tags.