PERL Problem

finnpark

Hi,

I have a problem with PERL.

Basically Im using a BATCH file to automaticatically generate a graph.

So I call the batch file as follows in PERL:

system('makegraph.bat');

However, the batch file only generates and stores the graph in the cgi-bin . It stores it as im1.gif . However, I cannot display the image on the webpage as it is located in the cgi-bin. Does anyone know if there is a way around this - is there a way of storing a .gif image in the cgi-bin and still display it on a webpage???

I also tried to move the Batch file to my root directory, which httdocs on my apache server. The batch file generates the .gif image ok. However, I cannot seem to be able to call the batch file from my PERL script in the cgi-bin. Is there any way of calling a batch file located in your root directory frm a PERL script in the cgi-bin?

Ive tried:

system('C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\batchfile.bat');

but it does not work.

Any ideas?

is_that_so

Have you tried getting the batch file to produce the output elsewhere rather than the current directory.
e.g. "type output >> C:\Program Files\Apache Software Foundation\Apache2.2\htdocs\myoutputfile"

mackerski

I suppose this isn't really a perl question, since the perl bit is doing what you expect. First off, if I'm reading correctly, your batch file just happens to be in your cgi-bin directory. This is:

a) Not necessary. You can put it anywhere on the file system that the running perl script has sight of.

b) Possibly unwise. Anything in the cgi-bin directory can be caused to run directly by a user as long as the user can guess what it's called. Depending on what the script can actually do, this would be a Bad Thing.

system() will be able to call your batch file if it's in other directories, though I can see you've had issues trying to make this happen. Part of the problem is that you appear to be on a Windows platform, which likes backslashes in file paths, whereas perl thinks that the backslash is special and likes to use it to escape other characters. You can get the behaviour you want by doubling up the backslashes.

However:

Look at what you're doing here. I've already mentioned the issues involved in putting your executable batch file in a place where an end user can cause it to run. Imagine the crack when you put it in a place where they can actually download and read it too - because that's what you're doing if you put it in the document root. As a batch file, the contents will be understandable to all and sundry. I can't tell how private the contents are, or how much it reveals about the workings of your site, but best-practice it aint.

The big problem here is that the batch file seems to want to write its output to the same directory it runs out of. That should be easily fixable. At the very least, you should be able to add a "copy" command to put it into the document area. If you can modify the batch file to write its output to the correct directory independently of where it's actually located then you'll have solved your problem, and you can keep your non-CGI executables the hell away from any part of the file system where users are allowed to go, like nature intended.

Dermot

finnpark

Thanks for yur advice.

Basically the Batch file is only 2 lines and uses code from weekgraph.htm.

@echo off
pl -gif weekgraph.htm


How would I change the batch file to only use files/generate graph in root directory?

is_that_so

finnpark wrote:

Thanks for yur advice.

Basically the Batch file is only 2 lines and uses code from weekgraph.htm.

@echo off
pl -gif weekgraph.htm


How would I change the batch file to only use files/generate graph in root directory?

pl -gif path_to_where_I_want_the_file_to_appear\weekgraph.htm
or
you could set it by replacing the code in the batch file
with
@echo off
set my_path=path_to_where_I_want_the_file_to_appear
pl -gif %my_path%\weekgraph.htm

finnpark

Ive tried copy the gif image from cgi-bin to c drive. This works. However, whenever I try copy it to htdocs it doesnt work. Here is the DOS code:

copy weekgraph.gif C:\Program Files\Apache Software Foundation\Apache2.2\htdocs

Is it to do with spaces? Any ideas where Im going wrong. Ive also tried:

copy weekgraph.gif C:\Program Files\Apache Software Foundation\Apache2.2\htdocs

mackerski

finnpark wrote:

Is it to do with spaces?

100% yes. You have to quote file paths that have spaces in them.

finnpark wrote:

Any ideas where Im going wrong.

Based on appearances so far, I'd say trying to run before you can walk. I'd be really slow to let users from the big bad Internet access the server you'll be building here. You never know what evil will befall it.

finnpark wrote:

Ive also tried:

Those copy commands look identical to me. maybe the forum software ate something.

One parting thought: I don't understand why you'd write a perl script whose only job is to run a batch file. In principle (and I've happily never had to do this on Windows), you could have the batch file run directly as a CGI script, assuming that your server is happy to serve up whatever it generates on STDOUT. On a further note, though you don't say so directly, the implication is that the perl script as it stands is to be triggered by the user (that is, run by the CGI). If it really does just consist of that one line that runs the batch file, then the browser user won't see any screen output. Because while your script (once repaired) will generate a GIF file and put it somewhere it can be seen, nothing has so far caused it to be served up to the user.

Dermot

is_that_so

finnpark wrote:

Ive tried copy the gif image from cgi-bin to c drive. This works. However, whenever I try copy it to htdocs it doesnt work. Here is the DOS code:

copy weekgraph.gif C:\Program Files\Apache Software Foundation\Apache2.2\htdocs

Is it to do with spaces? Any ideas where Im going wrong. Ive also tried:

copy weekgraph.gif C:\Program Files\Apache Software Foundation\Apache2.2\htdocs

Use double quotes around any paths with spaces. Did you try editing the batch file?

finnpark

Hi,

Many thanks . Have it working now. Im using the PERL copy function though now for handyiness.

This is what Im trying to do:
http://ploticus.sourceforge.net/doc/welcome.html . Its an open source software platform. Basically you run DOS commands to graph.

Now, Im using a batch file to run the commands and call it from PERL. I have a login area on my website where people can log in to view data specific to them in graphical format.


Just wondering:

1. I use system function to call the batch file. What are the issues associated with using this?

2. I am using a batch file in my CGI-BIN. What are the security issues associated with this?

3. I am using copy function in PERL also - what are thesecurity issues associated with this. ?

Can anyone see anyway round what Im doing to make it all more secure. In general, the users logging in should be known to me so from that point of view the risk should be low.

mackerski

finnpark wrote:

1. I use system function to call the batch file. What are the issues associated with using this?

Extra overhead. You're invoking the perl compiler to have it ask the OS to run a batch file, something it's already perfectly able to do itself. Unless your web server happens not to like running batch files of course, which may make this a reasonable workaround.

finnpark wrote:

2. I am using a batch file in my CGI-BIN. What are the security issues associated with this?

See my first post on this thread. There are some fundamental rules of security on web sites. The first is not to put files below your document root that aren't intended to be read by the public. An extreme case of this would be a flat file of user credit-card numbers (this has happened in the real world), but it would apply to things like your batch file too.

The second is not to put anything in a cgi-bin directory that you don't want your users to trigger directly. Given that it's being called by perl, your batch file falls into this category - it's being run by something that isn't an end user, so take it out of the CGI directory. It doesn't need to be there. The actual security risk involved in having it there depends on whether it can actually be caused to do anything nasty, but sometimes a proggy you think is benign can expose you to stuff you don't expect. And even if well-behaved, it could be used as a Denial Of Service attack.

finnpark wrote:

3. I am using copy function in PERL also - what are thesecurity issues associated with this. ?

Possibly none. However, it's easy to enhance your product in an unsafe way. Say, for instance, you came to choose the filename of the destination file based on a user-specified form field or query string contents. That could allow a remote user to cause a system file to be overwritten. So make sure you keep harmful knobs away from the punter.

finnpark wrote:

Can anyone see anyway round what Im doing to make it all more secure. In general, the users logging in should be known to me so from that point of view the risk should be low.

A rule of thumb is not to expose any app to the Internet that hasn't been hardened by someone who knows his stuff. It doesn't really matter who you intend to use the app, once your box starts answering as a web server it will be probed by robotic nasties and you will have people/machines trying to break the door down. When you build a house, you either fit the door locks yourself if you think you're up to it or you call a locksmith.

Remember that all of my comments relate to the stuff you've actually told us. We don't know what else might be insecure about your proposed server...

Dermot