Hi all. I have a application that needs to execute a system call via
command line. However, the problem I'm running into is this particular
command takes a username and password both of which can be any pattern and
combination of special characters. Does anyone know of a way to safely
execute this command with these free form parameters without risk of
malicious code being inadvertently executed? The pattern of the command is
as follows:
Call system with more than one argument, and you don't get the shell
involved:
system "/usr/bin/cmd", "-username", username, "-password", password
···
At 2009-10-07 03:15PM, "Zundra Daniel" wrote:
Hi all. I have a application that needs to execute a system call via
command line. However, the problem I'm running into is this particular
command takes a username and password both of which can be any pattern and
combination of special characters. Does anyone know of a way to safely
execute this command with these free form parameters without risk of
malicious code being inadvertently executed? The pattern of the command is
as follows:
Does anyone know of a way to safely execute this command with
these free form parameters without risk of malicious code being
inadvertently executed? The pattern of the command is as
follows:
As others have mentioned, you could do system like this instead:
system '/usr/bin/cmd', '-username', username, '-password', password
But there's a security flaw in the way you're doing this -- chances are, anyone
on the system can read those straight from the system process list. Is there
any way to supply these credentials to that command, other than the
commandline?
···
On Wednesday 07 October 2009 02:15:21 pm Zundra Daniel wrote:
It has already been said that this is very dangerous. Please check
the command you want to execute for something like ssh's
SSH_ASKPASS environment variable or gpg's --passphrase-fd option.
Thanks all for the input. Unfortunately there is no other way to execute
this particular script. It is actually a custom written application written
by another team at my company. However, the device this application is
controlling does not allow users access to a shell so correct me if I'm
wrong the risk here are minimal in that regard. The only safeguard I was
looking for which has been answered was against the apache user attempting
to execute some malicious code. If a user happens to gain shell access to
this device we have way bigger problems. Again, thanks everyone for the
input and please let me know if I'm overlooking something.
···
On Thu, Oct 8, 2009 at 8:56 AM, Bertram Scharpf <lists@bertram-scharpf.de>wrote:
Hi,
Am Donnerstag, 08. Okt 2009, 04:15:21 +0900 schrieb Zundra Daniel:
>
> /usr/bin/cmd -username #{username} -password #{password}
It has already been said that this is very dangerous. Please check
the command you want to execute for something like ssh's
SSH_ASKPASS environment variable or gpg's --passphrase-fd option.