Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

Calling a Unix application from a webpage

  • 16-10-2007 11:40pm
    #1
    Closed Accounts Posts: 4,842 ✭✭✭


    Hi there folks,
    Quick question and sorry if this sounds stupid (or if it belongs in the Webmaster or Programming forum). Is there any scripting language I can use to call an external application in a webpage?

    Basically what I want to do is have a form on a page with a text box, user enters text into text box and presses submit. Script passes this string to a Unix application in /usr/local which then exports a WAV file which is passed back to the script to be played. Am I right in saying that either PHP or CGI could do this? I've googled a lot but couldn't find anything relevant.

    I can handle playing the WAV etc and security isn't of *huge* importance to me at the moment (only going to be used on my local webserver).

    I'm using an iBook but thought it'd suit better here as it's more geared towards a Unix environment and it's an application ported over from Linux.

    If anyone can help I'd appreciate it.

    Cheers


Comments

  • Registered Users, Registered Users 2 Posts: 37,485 ✭✭✭✭Khannie


    perl cgi could definitely do this. Not a bother on it. I'm not familiar with PHP tbh.

    edit: In fact, you could probably just do this with a normal shell script.


  • Registered Users, Registered Users 2 Posts: 432 ✭✭Catch_22


    cgi isnt a language as such its just an interface which is designed to do just what you describe, have a look into cgi further it will do it in any language you wish, you just define the form on your webpage with:

    <form action=$YOURSCRIPT method=GET>

    then when submit is hit the script is run, its then up to this script to spit out more html or recall the original page.


  • Registered Users, Registered Users 2 Posts: 545 ✭✭✭ravydavygravy


    I was doing something with that yesterday - heres what I threw together (PHP) Note, this is for an internal work website, so if it's proper web facing, you might need a few more security considerations. Having said that, I don't believe it's terribly insecure, but you have to remember that when you have a form that allows a user to manipulate the command to be run internally in a shell, the potential for misuse is high. Especially on a public website.

    Also, don't forget to make sure the web server user (e.g. apache) has permissions to run the command you are trying to run with the script.
    <html>
    <body>
    <table width=100% height=100%>
    <tr><td valign='top'>
    <center>
    <font face='arial,helvetica' size=+4><bold>Add a Trace</bold></font>
    <br/><br/>
    <font face='arial,helvetica' size=+2>
    <?php
       ### If I'm running the page as the result of a valid POST operation...
       if (isset($_POST['tid']))
       {
           $command = "/usr/local/bin/trace " . escapeshellcmd($_POST['tid']);
    
           echo "Running $command<br/>";
    
           $result = system($command);
    
           if($result)
           {
               echo "<br/>Trace for ".escapeshellcmd($_POST['tid'])." added";
           }
           else
           {
               echo "<br/>Problem adding trace";
           }
       }
       ### Otherwise, set up the form to make the POST operation....
       else
       {
           echo "<form method='POST' action='addTrace.php'>";
           echo "TID to trace:";
           echo "<br/>";
           echo "<input type='text' name='tid' value='' size='8'/>";
           echo "<br/><br/>";
           echo "<INPUT type='submit' value='Create Trace'><INPUT type='reset'>";
           echo "</form>";
       }
    
       echo "<br><br>Return to <a href='index.php'>main</a> page...";
    ?>
    </font>
    </td></tr>
    </table>
    </body>
    </html>
    


  • Hosted Moderators Posts: 7,486 ✭✭✭Red Alert


    An easy program might be a perl script which has the Perl:CGI module to let you put stuff into the program from a form, PHP or even C if you put in the CGI include files.

    If you want to make it more secure you can look at what's called data tainting if you use Perl that limits what can be sent to a shell escape.


  • Closed Accounts Posts: 669 ✭✭✭pid()


    I was doing something with that yesterday - heres what I threw together (PHP) Note, this is for an internal work website, so if it's proper web facing, you might need a few more security considerations. Having said that, I don't believe it's terribly insecure, but you have to remember that when you have a form that allows a user to manipulate the command to be run internally in a shell, the potential for misuse is high. Especially on a public website.

    Also, don't forget to make sure the web server user (e.g. apache) has permissions to run the command you are trying to run with the script.
    <html>
    <body>
    <table width=100% height=100%>
    <tr><td valign='top'>
    <center>
    <font face='arial,helvetica' size=+4><bold>Add a Trace</bold></font>
    <br/><br/>
    <font face='arial,helvetica' size=+2>
    <?php
       ### If I'm running the page as the result of a valid POST operation...
       if (isset($_POST['tid']))
       {
           $command = "/usr/local/bin/trace " . escapeshellcmd($_POST['tid']);
    
           echo "Running $command<br/>";
    
           $result = system($command);
    
           if($result)
           {
               echo "<br/>Trace for ".escapeshellcmd($_POST['tid'])." added";
           }
           else
           {
               echo "<br/>Problem adding trace";
           }
       }
       ### Otherwise, set up the form to make the POST operation....
       else
       {
           echo "<form method='POST' action='addTrace.php'>";
           echo "TID to trace:";
           echo "<br/>";
           echo "<input type='text' name='tid' value='' size='8'/>";
           echo "<br/><br/>";
           echo "<INPUT type='submit' value='Create Trace'><INPUT type='reset'>";
           echo "</form>";
       }
    
       echo "<br><br>Return to <a href='index.php'>main</a> page...";
    ?>
    </font>
    </td></tr>
    </table>
    </body>
    </html>
    

    yourscript?command=/bin/ls|

    whoops.


  • Advertisement
  • Registered Users, Registered Users 2 Posts: 545 ✭✭✭ravydavygravy


    pid() wrote: »
    yourscript?command=/bin/ls|

    whoops.

    .... does nothing? But I agree, this script does not have much security built it. But again, refer to what I said - for my use, it don't matter (it only used by me and some other admins, on a secure internal only webserver. We have full access to the system anyway)

    For a real website, definitly read up on securing these commands properly.... The important thing is that you properly sanitize the input from the user before you run it with system() or exec() or any of those commands....


  • Closed Accounts Posts: 4,842 ✭✭✭steveland?


    .... does nothing? But I agree, this script does not have much security built it. But again, refer to what I said - for my use, it don't matter (it only used by me and some other admins, on a secure internal only webserver. We have full access to the system anyway)

    For a real website, definitly read up on securing these commands properly.... The important thing is that you properly sanitize the input from the user before you run it with system() or exec() or any of those commands....
    By way of security would running a preg_replace on ";" and "|" characters to remove them be the main ones thus not allowing anyone to run any other sneaky commands? Any other ones I should be conscious of if I wanted to one day deploy it on the web?

    I'm not sure how I go about granting Apache permission to run applications, would this be a setting in httpd.conf or permissions for certain files?

    Or grant permissions on the application itself so that all groups can execute it?

    Cheers


  • Registered Users, Registered Users 2 Posts: 545 ✭✭✭ravydavygravy


    steveland? wrote: »
    By way of security would running a preg_replace on ";" and "|" characters to remove them be the main ones thus not allowing anyone to run any other sneaky commands? Any other ones I should be conscious of if I wanted to one day deploy it on the web?

    I'm not sure how I go about granting Apache permission to run applications, would this be a setting in httpd.conf or permissions for certain files?

    Or grant permissions on the application itself so that all groups can execute it?

    Cheers

    Don't re-invent the wheel - PHP has several functions for cleaning up user input - see for example "escapeshellcmd()" in the PHP manual. But your basic idea is right - you need to ensure the final string used as a command cannot do nasty things to your system.

    Re: permissions, I was talking about unix file permissions - for example, ensuring yser apache have sufficient permissions in the file system to run the command you want.

    Dave


Advertisement