This is the mail archive of the cygwin mailing list for the Cygwin project.


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]
Other format: [Raw text]

Re: Trouble Sending Printer Codes from Perl to Printer


David Vergin wrote:

>      system(qq/echo -en "$data_str" | lpr -oraw/);
>      ...or whatever

>From a security standpoint, this is horrific.  Passing user-supplied
data on the command line to a system command is just a recipe for
disaster.  I don't understand why you need to use 'echo' to do your
formatting for you when you have perl.  If it were me I would just open
the 'lpr' command directly and write the data directly to it from perl,
e.g.

open(FOO, "| lpr -oraw") or die("can't open lpr: $!");
print FOO "printer\ncodes\000";
close(FOO);

This is right out of "perlopentut".

Consider what happens if $data_str equals "x; rm -rf /".  You end up
calling the following command:

/bin/sh -c "echo -en x; rm -rf / | lpr -oraw"

...which means you'll get a nice transcript of your entire filesystem
being erased printed to your printer.

> $ echo -en "hello\nworld"
> hello
> world

Here 'echo' is a built-in of the shell you are using, namely bash, and
that shell supports the -en options of the 'echo' builtin.

> $ perl -e 'system(q/echo -en "hello\nworld"/)'
> -en hello\nworld

system() uses the default shell, namely /bin/sh.  So this runs /bin/sh
-c "echo -en whatever".  /bin/sh on Cygwin is ash, not bash.  Ash does
not support the fancy options for its builtin 'echo' command, so you see
them as part of the output.  On linux, /bin/sh is bash, so this works.

If you REALLY want to do the above, you should either use /bin/echo
(which is a third implementation of echo seperate from the builtin
version of sh or bash) or you should explicitly call /bin/bash.  But you
shouldn't do either of these because passing strings around on the
command line to echo just to format them is a seriously dumb thing to do
when you have perl.

Brian

--
Unsubscribe info:      http://cygwin.com/ml/#unsubscribe-simple
Problem reports:       http://cygwin.com/problems.html
Documentation:         http://cygwin.com/docs.html
FAQ:                   http://cygwin.com/faq/


Index Nav: [Date Index] [Subject Index] [Author Index] [Thread Index]
Message Nav: [Date Prev] [Date Next] [Thread Prev] [Thread Next]