RE: Internal -e escape char

2003-12-19 Thread Dan Muey 

> Dan Muey wrote:
> 
> [snip]
> 
> > I could replace all single quotes with double quotes and escape 
> > everythgin inbetween them but that seems like a lot.
> > 
> > Any ideas how to deal with the single quotes? (Since shell escape 
> > characters may or may not work since apache is executing it)
> 
> after trying (a few years ago) to do something similar to 
> what you propose 
> which lead to a total mess and difficult to maintain codes, i have 
> basically gave up this escape-shell-character approach. it's almost 
> impossible to know when to escape and when not to escape. i now use a 
> different approach. instead of involving Perl from the 
> command line with 
> -e, i simply print the code to a file and then run the code 
> within the 

Good idea!!!
I'll give that a go. The only problem is I should have thought of that!!
I'll get there one of these days :)

Thanks for the idea David.

Dan

> file. here is a strip down version of what i used to do:
> 
> #!/usr/bin/perl -w
> use strict;
> 
> use CGI;
> use File::Temp qw/tempfile tempdir/;
> 
> my $cgi = CGI->new;
> 
> if($cgi->param('code')){
> 
> my($fh,$fn) = tempfile(DIR => tempdir(CLEANUP => 1));
> 
> print $fh "#!/usr/bin/perl -w\n";
> print $fh "use strict;\n\n";
> 
> print $fh $cgi->param('code');
> 
> close($fh);
> 
> if(chmod(0755,$fn)){
> html($cgi,$cgi->param('code'),`$fn`);
> }else{
> html($cgi,"Unable to run: \n\n" . 
> $cgi->param('code'));
> }
> }else{
> html($cgi,undef);
> }
> 
> #-- DONE-- #
> 
> sub html{
> 
> my $cgi  = shift;
> my $code = shift;
> 
> my $value = $code || '';
> 
> if(@_){
> $value .= "\n\n__END__\n\n";
> $value .= $_ for(@_);
> }
> 
> print $cgi->header,< 
> 
> $value 
>HTML
> 
> }
> 
> __END__
> 
> a textarea is printed along a submit button, code is entered 
> through the 
> textarea, when the submit button is clicked, a tmp file is 
> create which 
> holds the code from the textarea. the file is then run from 
> the command 
> line and output is returned back to the textarea. finally, 
> the tmp file is 
> deleted when the script finish.
> 
> david 
> -- 
> sub'_{print"@_ ";* \ = * __ ,\ & \}
> sub'__{print"@_ ";* \ = * ___ ,\ & \}
> sub'___{print"@_ ";* \ = *  ,\ & \}
> sub'{print"@_,\n"}&{_+Just}(another)->(Perl)->(Hacker)
> 
> -- 
> To unsubscribe, e-mail: [EMAIL PROTECTED]
> For additional commands, e-mail: [EMAIL PROTECTED] 
 



--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Re: Internal -e escape char

2003-12-16 Thread david 
Dan Muey wrote:

[snip]

> I could replace all single quotes with double quotes and escape everythgin
> inbetween them but that seems like a lot.
> 
> Any ideas how to deal with the single quotes? (Since shell escape
> characters may or may not work since apache is executing it)

after trying (a few years ago) to do something similar to what you propose 
which lead to a total mess and difficult to maintain codes, i have 
basically gave up this escape-shell-character approach. it's almost 
impossible to know when to escape and when not to escape. i now use a 
different approach. instead of involving Perl from the command line with 
-e, i simply print the code to a file and then run the code within the 
file. here is a strip down version of what i used to do:

#!/usr/bin/perl -w
use strict;

use CGI;
use File::Temp qw/tempfile tempdir/;

my $cgi = CGI->new;

if($cgi->param('code')){

my($fh,$fn) = tempfile(DIR => tempdir(CLEANUP => 1));

print $fh "#!/usr/bin/perl -w\n";
print $fh "use strict;\n\n";

print $fh $cgi->param('code');

close($fh);

if(chmod(0755,$fn)){
html($cgi,$cgi->param('code'),`$fn`);
}else{
html($cgi,"Unable to run: \n\n" . $cgi->param('code'));
}
}else{
html($cgi,undef);
}

#-- DONE-- #

sub html{

my $cgi  = shift;
my $code = shift;

my $value = $code || '';

if(@_){
$value .= "\n\n__END__\n\n";
$value .= $_ for(@_);
}

print $cgi->header,<

$value



HTML

}

__END__

a textarea is printed along a submit button, code is entered through the 
textarea, when the submit button is clicked, a tmp file is create which 
holds the code from the textarea. the file is then run from the command 
line and output is returned back to the textarea. finally, the tmp file is 
deleted when the script finish.

david 
-- 
sub'_{print"@_ ";* \ = * __ ,\ & \}
sub'__{print"@_ ";* \ = * ___ ,\ & \}
sub'___{print"@_ ";* \ = *  ,\ & \}
sub'{print"@_,\n"}&{_+Just}(another)->(Perl)->(Hacker)

-- 
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Internal -e escape char

2003-12-16 Thread Dan Muey 
Howdy,

I just finished a script that does Benchmarking from a web based form. It's pretty 
handy since all I have to do it tell it how many different pieces of code I want to 
run, type them in and see the results.

I did this because it is quick and easy and I can use it when all I have is web 
access.(must be autheticated to use) (IE no ssh or ftp)And I don't have to create a 
new script everytim I want to see which is fsatest.

Ok, now with that same idea in mind I'd like top have a form I couls enter som perl 
and have it execute it via perl -e.
(I know I know, security etc..., what is they put in `rm -f /` etc... just hear me out 
;p)

If I con't have shell access I'd like to login to my area, 
Select from a menu which code to run (All they get is value's of number s that 
correspond to a hash internally so they can't give it evil input.) and a few other 
options (which must be clean via some regexes,) Al of it is run with -w and use 
strict; and I may make it do -T also. So with all of that in mind here's my question:
Doing this:
...
my $pthprl = '/usr/bin/perl -Mstrict -we';
...
print `$pthprl '$codeX' '$inpuX'`;

Assume $codeX and $inpuX are being properly safeified ( they are also being run via 
webserver so there's even less privilegs that if I was ssh in).

This works very well, unless $codeX has single quotes. ($inpuX I urlencode and must 
therefore use CGI 'param' to get it into my -e test code)

I could replace all single quotes with double quotes and escape everythgin inbetween 
them but that seems like a lot.

Any ideas how to deal with the single quotes? (Since shell escape characters may or 
may not work since apache is executing it)

TIA

DaN

--
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]