Announcement

Collapse
No announcement yet.

Calling External Program

Collapse
X
 
  • Filter
  • Time
  • Show
Clear All
new posts

    Calling External Program

    Is it possible to run a local external command from a Mivascript?

    In my example I have installed an HTML to PDF utility on my Linux server.

    I would like to call this command line utility from a Mivascript and pass parameters to it.

    I vaguely remember accomplishing something similar to this is the old days by MvCalling a shell script.

    Does the modern version of Mivascript have any newer way to accomplish this?

    Thanks,
    Tim

    #2
    Re: Calling External Program

    Maybe toolkit's callURL?
    Larry
    Luce Kanun Web Design
    www.facebook.com/wajake41
    www.plus.google.com/116415026668025242914/posts?hl=en


    Comment


      #3
      Re: Calling External Program

      If you are actually talking about MivaScript, MvCall is still the work horse when it comes to connecting with & corresponding with outside resources.

      It HAS been significantly updated. The best reference available is here:

      http://www.mivascript.com/
      Bruce Golub
      Phosphor Media - "Your Success is our Business"

      Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
      phosphormedia.com

      Comment


        #4
        Re: Calling External Program

        MvCall allows you to call your website (or external sites) but.

        If your utility is installed like ImageMagick or other external processing routines then likely it can not be called directly from a web page.

        I'm sure this can be done but likely will require some server configuration to make it accessible as some kind of CGI interface. Check with Miva Support to see how this can be set up.
        Ray Yates
        "If I have seen further, it is by standing on the shoulders of giants."
        --- Sir Isaac Newton

        Comment


          #5
          Re: Calling External Program

          I was able to pass arguments to, and successfully execute the html to PDF utility by MvCalling a simple PHP script.


          <?php

          // executes HTML to PDF conversion utility
          // parameters input html file name , output PDF file name

          system('/usr/local/bin/wkhtmltopdf ' . $_GET[in_file] . ' ' . $_GET[out_file]);

          ?>


          PHP script must be located in your script directory and chmod 755
          My script is called "gen_pdf.php"


          The MvCall looks like this:

          <MvASSIGN NAME="script_name" VALUE="http://(your path Here)gen_pdf.php?">
          <MvASSIGN NAME="arg1" VALUE="{'in_file=' $ (your variable) $ '.htm&'}">
          <MvASSIGN NAME="arg2" VALUE="{'out_file=' $ (your variable) $ '.pdf'}">

          <MvCALL ACTION="{script_name $ arg1 $ arg2}"
          METHOD="GET">
          </MvCALL>


          I'm not a security expert, but I believe this is a safe approach.

          Hope this helps someone in the future.

          Tim

          Comment


            #6
            Re: Calling External Program

            This is anything but safe. Your PHP is taking any two values handed to it and running it as a system command with who-knows-what permissions.

            Someone can pass the in_file and out_file of "; cd / ; rm -rf " and "; echo have a nice day" to really screw with you.

            Always, always, always validate data coming from unknown sources. I realize the likelihood of someone finding this file is small, but if it's on the web, SOMEONE will find it and you won't like the results.

            Comment


              #7
              Re: Calling External Program

              Originally posted by Scott McCollough View Post
              This is anything but safe. Your PHP is taking any two values handed to it and running it as a system command with who-knows-what permissions.

              Someone can pass the in_file and out_file of "; cd / ; rm -rf " and "; echo have a nice day" to really screw with you.

              Always, always, always validate data coming from unknown sources. I realize the likelihood of someone finding this file is small, but if it's on the web, SOMEONE will find it and you won't like the results.
              Hi Scott,

              I see the point you are making.
              My thought was that since the PHP script is hardcoded to execute a specific command
              '/usr/local/bin/wkhtmltopdf '
              then the only vulnerability is that someone could potentially pass arguments to that utility.
              I figured that no harm could come given that the utility doesn't have any vulnerabilities of it's own.
              I will Google for any know vulnerabilities for that program.

              Thanks for the feedback.
              Tim

              Comment


                #8
                Re: Calling External Program

                A simple check of the referrer ip (S.remote_addr) should protect it.
                Bruce Golub
                Phosphor Media - "Your Success is our Business"

                Improve Your Customer Service | Get MORE Customers | Edit CSS/Javascript/HTML Easily | Make Your Site Faster | Get Indexed by Google | Free Modules | Follow Us on Facebook
                phosphormedia.com

                Comment


                  #9
                  Re: Calling External Program

                  Originally posted by Bruce - PhosphorMedia View Post
                  A simple check of the referrer ip (S.remote_addr) should protect it.
                  Not necessarily. IIRC, the referrer header is just a piece of data that's sent by the browser or other client software. A malicious user with suitable software can put anything in there.
                  Kent Multer
                  Magic Metal Productions
                  http://TheMagicM.com
                  * Web developer/designer
                  * E-commerce and Miva
                  * Author, The Official Miva Web Scripting Book -- available on-line:
                  http://www.amazon.com/exec/obidos/IS...icmetalproducA

                  Comment


                    #10
                    Re: Calling External Program

                    Originally posted by tmallardi View Post
                    Hi Scott,

                    I see the point you are making.
                    My thought was that since the PHP script is hardcoded to execute a specific command
                    '/usr/local/bin/wkhtmltopdf '
                    then the only vulnerability is that someone could potentially pass arguments to that utility.
                    I figured that no harm could come given that the utility doesn't have any vulnerabilities of it's own.
                    I will Google for any know vulnerabilities for that program.

                    Thanks for the feedback.
                    Tim
                    Hi Tim,

                    My comment is not about a vulnerability within the pdf maker program itself, it is that you are sending a command to the system unfiltered. Look at my example again, I send "; cd / ; rm -rf" as the first 'filename'. Which means you are issuing the command
                    Code:
                    /usr/local/bin/wkhtmltopdf ; cd / ; rm -rf
                    to the command line. The semicolons act as breaks so instead of issuing a single command you are actually issuing three.
                    1) Run the wkhtmltopdf program without any parameters. Most likely will just pop up a help screen
                    2) Change to the root directory of the hard drive
                    3) Delete all files without warning and without prejudice. Basically wiping out the whole drive

                    Put as many layers of security around that as you can;
                    - Check the IP address to make sure it's coming only from the local box
                    - Double check the inputs to make sure only certain characters are allowed
                    - And so on...

                    The safest way would be have the Merchant software write out the names to a database along with a unique token. Then just send the token to the PHP file. Once the token is used, delete it from the table.

                    Be safe out there...

                    Comment


                      #11
                      Re: Calling External Program

                      If possible, I would incorporate some type of key that must be validated before it can execute any instructions.
                      Thank you, Bill Davis

                      Comment


                        #12
                        Re: Calling External Program

                        Scott,

                        I didn't realize what the semicolons did. I totally understand your point now.

                        I will indeed parse the input.

                        Thanks!
                        Tim

                        Comment

                        Working...
                        X