Skip to main content.
home | support | download

Back to List Archive

Re: configuring and debugging swish.cgi with IIS

From: Nathan Vonnahme <nathan.vonnahme(at)not-real.bannerhealth.com>
Date: Wed Jun 11 2003 - 00:25:26 GMT
> >>> Bill Moseley <moseley@hank.org> 06/10/03 11:16AM >>>
> On Tue, Jun 10, 2003 at 10:33:35AM -0700, Nathan Vonnahme wrote:
> > 
> > I have to use IIS (arggg), 
> 
> I always wonder about that.  Throw linux and Apache on an old P133
> that's too slow for Windows, use samba and you have a nice stable web 
> server platform.

well, I guess I should say I've *decided* to keep using IIS (arggg).  There are lots of nontechnical reasons (political, historical, cultural) for going against my personal preference :)  


> That still stinks.  I just looked at the SWISH::Filter.pm module and it 
> does:
> 
>    my @command = map { s/"/\\"/g; qq["$_"] }  @args;
> 
> So quotes are escaped and then then entire parameter is placed inside 
> double quotes.  Would that fix your problem above?  Then you wouldn't 
> need to add that quotes in the "swish_binary" above.

yes, that would be perfect.  You could use that line everywhere, including doc2txt.pm and pdf2*.pm

> > It might be better to add a more robust argument escaping method to
> > prevent filenames with special characters from doing unexpected things
> > (or better would be to not use backticks to avoid the shell
> > completely).
> 
> Well, without fork/exec on Windows it's hard.  I'm sure there's some 
> Win32 specific functions to do that, but I have never looked into it.  I 
> spent a *year* posting to Win32 CGI lists asking how to securely run an 
> external program (like swish-e) from a CGI script and never got any 
> response.

I was thinking that that's what you're doing with IPC::Open2, right?

At least, its documentation claims:
    $pid = open2(\*RDRFH, \*WTRFH, 'some cmd and args');
      # or without using the shell
    $pid = open2(\*RDRFH, \*WTRFH, 'some', 'cmd', 'and', 'args');

so since you're passing an array it shouldn't use the shell (and as far as I can tell from reading IPC::Open* and IO::Pipe, it doesn't), but apparently on Windows it still barfs on that unescaped space, so it must be interacting with DOS somehow.  I guess if you use system(@array) it's not supposed to use the shell, but if the first arg has a space it probably thinks you do need to use the shell, or something like that?  

The escaping and quoting method above should be find for everything, but I think it would be possible to just write a backtick() type subroutine that uses IPC::Open2 or 3, then I think you would be forever free from shell metacharacter exploits, though you'd still need to do the escaping/quoting thing on Windows at least.  It might not be worth it though... just escaping and quoting should be pretty foolproof.

Anyway I've learned far more than I ever wanted to know about this IPC and Windows stuff, so it's been quite educational.  

Thanks!
Received on Wed Jun 11 00:25:27 2003