Fundamental pipe questions

[grocery_stocker]

What's the difference between
open(FOO, "│tr ’[a-z]’ ’[A-Z]’");

and

open(FOO, ’│-’, "tr ’[a-z]’ ’[A-Z]’");

Can open(FOO, "│tr ’[a-z]’ ’[A-Z]’"); be run safely under another
user ID like what
open(FOO, ’│-’, "tr ’[a-z]’ ’[A-Z]’"); ?

I (think) I know that open(FOO, ’│-’, "tr ’[a-z]’ ’[A-Z]’"); doesn't
spawn a shell. Is that same true for
open(FOO, "│tr ’[a-z]’ ’[A-Z]’"); ?

Thanks in advance
Chad

 

[Peter J. Holzer]

["Followup-To:" header set to comp.lang.perl.misc.]

What's the difference between
open(FOO, "│tr ’[a-z]’ ’[A-Z]’");

How did you manage that? "│" is not a pipe ("|" is) and "’" is not a
single quote ("'" is). So that code will indeed not invoke a shell,
instead it will try to open the file "│tr ’[a-z]’ ’[A-Z]’" for reading.
But I'll assume that the strange characters were introduced by your
browser or google and that your real code does contain a pipe character
and single quotes.

and

open(FOO, ’│-’, "tr ’[a-z]’ ’[A-Z]’");
None.


Can open(FOO, "│tr ’[a-z]’ ’[A-Z]’"); be run safely under another
user ID like what
open(FOO, ’│-’, "tr ’[a-z]’ ’[A-Z]’"); ?

I (think) I know that open(FOO, ’│-’, "tr ’[a-z]’ ’[A-Z]’"); doesn't
spawn a shell.

You think wrong. That does spawn a shell as can be seen with strace:

execve("/bin/sh", ["sh", "-c", "tr \'[a-z]\' \'[A-Z]\'"], [/* 49 vars
*/]) = 0

Is that same true for
open(FOO, "│tr ’[a-z]’ ’[A-Z]’"); ?

That also spawns a shell. You can avoid that by using the list form:

open(FOO, '|-', 'tr', '[a-z]', '[A-Z]');

hp

 

[xhoster]

Yes, the strange characters were introduced by my browser.

Clearly they are introduced in your posting software, not your browsing
software. Please try to fix that, or people will be less likely to respond
to you.

If both these constructs are the same, then why does perlipc rattle on
about using |- for safe pipe opens. I think the following from perlipc
comes to mind.

And here=E2=80=99s a safe pipe open for writing:

# add error processing as above
$pid =3D open(KID_TO_WRITE, "|-");

Notice that lack of any third (or more) arguments in that pipe open,
and the lack of program name in the 2nd argument.

$SIG{PIPE} =3D sub { die "whoops, $program pipe broke" };

if ($pid) { # parent
for (@data) {
print KID_TO_WRITE;
}
close(KID_TO_WRITE) || warn "kid exited $?";

} else { # child
($EUID, $EGID) =3D ($UID, $GID);

See here where it mucks around with $EUID? If you used either the
two argument open which contained the command name and all of its arguments
in the 2nd argument, or the 3 or more argument form, then you would not
have an opportunity to do this before the $program got executed. That is
the main thing that makes this safer than the alternative. The second
thing is that by using the multi-argument form of exec, you prevent the
shell from trying to interpret the arguments (this one you could also do,
on sufficiently modern Perls, by using the more than 3 argument pipe open).

exec($program, @options, @args)
|| die "can=E2=80=99t exec program: $!";
# NOTREACHED
}

Xho

 

[grocery_stocker]

Clearly they are introduced in your posting software, not your browsing
software. Please try to fix that, or people will be less likely to respond
to you.

I keep meaning to take an intro computer science class at the College
of Marin. This school is like down the road from where I work at in
San Rafael, California.

Notice that lack of any third (or more) arguments in that pipe open,
and the lack of program name in the 2nd argument.




See here where it mucks around with $EUID? If you used either the
two argument open which contained the command name and all of its arguments
in the 2nd argument, or the 3 or more argument form, then you would not
have an opportunity to do this before the $program got executed. That is
the main thing that makes this safer than the alternative. The second
thing is that by using the multi-argument form of exec, you prevent the
shell from trying to interpret the arguments (this one you could also do,
on sufficiently modern Perls, by using the more than 3 argument pipe open).

Peter J. Holzer said in a previous post that doing something like:
open(FOO, '|-', 'tr', '[a-z]', '[A-Z]'); #3 or more argument form of
open

Doesn't spawn a shell.

 

[xhoster]

See here where it mucks around with $EUID? If you used either the
two argument open which contained the command name and all of its
arguments in the 2nd argument, or the 3 or more argument form, then you
would not have an opportunity to do this before the $program got
executed. That is the main thing that makes this safer than the
alternative. The second thing is that by using the multi-argument form
of exec, you prevent the shell from trying to interpret the arguments
(this one you could also do, on sufficiently modern Perls, by using the
more than 3 argument pipe open).

Peter J. Holzer said in a previous post that doing something like:
open(FOO, '|-', 'tr', '[a-z]', '[A-Z]'); #3 or more argument form of
open

Doesn't spawn a shell.

I think he was wrong. It needs to be more than 3. Exactly three will
still start a shell (or at least it will if it detects any shell special
characters).

Xho

 

[Peter J. Holzer]

["Followup-To:" header set to comp.lang.perl.misc.]

What's the difference between
open(FOO, "│tr ’[a-z]’ ’[A-Z]’");
and

open(FOO, ’│-’, "tr ’[a-z]’ ’[A-Z]’");

None.

If both these constructs are the same, then why does perlipc rattle on
about using |- for safe pipe opens.

Look again. perldoc perlipc does NOT advocate the use of
open(FOO, '|-', "tr '[a-z]' '[A-Z]'");
as safe. It tells you to either use
open(FOO, '|-')
and then
exec('tr', '[a-z]' '[A-Z]');
in the child or (for perl >= 5.8.0) use the list form:
open(FOO, '|-', 'tr', '[a-z]' '[A-Z]');
just as I did (in the part you snipped).

The difference is safety doesn't come from separating '|-' from the
command name[0], but from separating the arguments from the program
name. Note that perlipc also uses the LIST form of exec - had they used
(exec("tr '[a-z]' '[A-Z]'") instead, the advantage would have been lost.

(In this example, it really doesn't matter since you use a fixed string
hard coded into your script. exec and open only become unsafe if you
construct the arguments from untrusted user input).

hp

[0] In general, open with a MODE is safer than only an EXPR, especially
for '<', and also for '-|' under some circumstances, but I can't
construct a case for '|-'. You should still make a habit of avoiding
the two-argument form of open.

 

[Peter J. Holzer]

I keep meaning to take an intro computer science class at the College
of Marin. This school is like down the road from where I work at in
San Rafael, California.

I don't think you need a computer science class to use a news reader.
For a start, you could try Thunderbird (it isn't a great newsreader, but
it's ok, simple to use and cross-platform).

hp

 

[Peter J. Holzer]

Peter J. Holzer said in a previous post that doing something like:
open(FOO, '|-', 'tr', '[a-z]', '[A-Z]'); #3 or more argument form of
open

Doesn't spawn a shell.

I think he was wrong.

If I had said that I would have been wrong, but I didn't. I was talking
about the list form of open, which has at least 4 arguments:

open FILEHANDLE,MODE,EXPR,LIST

It needs to be more than 3. Exactly three will
still start a shell (or at least it will if it detects any shell special
characters).

Right.

hp

 

[Peter J. Holzer]

Clearly they are introduced in your posting software, not your browsing
software.

His posting software was Google Groups (yes, I looked at his headers
before I suggested that the problem could be related to Google or his
browser). Last time I looked Google groups didn't have an NNTP
interface, so you need a browser to use it.

BTW I just posted a test message via Google groups and it didn't mangle
my single quotes and pipes, so I still think it's his browser or
something else on his computer (maybe he wrote his posting with MS-Word
and pasted it into google groups or something like that).

hp