bypass shell - pipe into child pid and receive otput

[Mirco Wahab]

I'm trying to work with a filter prog
under Unix from a Perl script (CGI).

This program (htmldoc, => google) receives
some command line parameters and some input
via stdin - and returns its output via stdout.


What I do is: piping through the shell, like:

{
...
my $htmlpage = '... several KB HTML stuff, comes from above ';
my $prog = '/usr/bin/htmldoc';

return
qx{echo -e '$htmlpage' | $prog --webpage -t pdf -}
}

.... and receive the output directly back to the Perl script.
This works somehow, BUT has tremendous security problems (imho).

How can I bypass the shell, maybe via
forking a child process, like:

<pseudo>
...
my $pid = open( my $pipe, "-|") or die "can't fork $!";
unless( $pid ) { # did we get 0 pid back?
exec $prog, $htmlpage
}
</pseudo>

But this wouldn't give me the output of $prog back.

What did I miss?


Thanks & regards

Mirco

 

[xhoster]

I'm trying to work with a filter prog
under Unix from a Perl script (CGI).

This program (htmldoc, => google) receives
some command line parameters and some input
via stdin - and returns its output via stdout.

What I do is: piping through the shell, like:

{
...
my $htmlpage = '... several KB HTML stuff, comes from above ';
my $prog = '/usr/bin/htmldoc';

return
qx{echo -e '$htmlpage' | $prog --webpage -t pdf -}
}

... and receive the output directly back to the Perl script.
This works somehow, BUT has tremendous security problems (imho).

What are those problems, IYHO?

How can I bypass the shell, maybe via
forking a child process, like:

<pseudo>
...
my $pid = open( my $pipe, "-|") or die "can't fork $!";
unless( $pid ) { # did we get 0 pid back?
exec $prog, $htmlpage
}
</pseudo>

But this wouldn't give me the output of $prog back.

Well of course it wouldn't. Perl is a language, not a psuedo-language.

What did I miss?

See above.

Xho