0

I am developing an automation script in perl in which for authentication I have written a subroutine which takes password input by user and return it to the main perl program which in turn passes the password to the tool that I need to automate.

This script goes fine with every case unless the character # is part of the password. Then it is not able to automate the tool and fails for authentication.

Below is the subroutine which I used for taking password input.

use Win32::Console;

sub password() {
    $StdIn = new Win32::Console(STD_INPUT_HANDLE);
    my $Password = "";

    $StdIn->Mode(ENABLE_PROCESSED_INPUT);
    print "Enter Password: ";

    while (ord(my $Data = $StdIn->InputChar(1)) != 10) { 
        if("\r" eq $Data ) {
            last;
        }
        elsif ("\ch" eq $Data) {
            if( "" ne chop( $Password )) {
                print "\ch \ch";
            }
            next;
        }
        $Password .=$Data;
        print "*";
    }
    return $Password;
}

i am calling the above subroutine as 

$passwd = &password();

And then passing the $passwd to the tool that I need to automate as below,

This is the line in which I pass the password to tool, 

cc -c URL OF THE TOOL:$server -d $domain -t $appl -u $userid -p $passwd; \n";

Can anyone please cross check the code for calling the password() sub routine, returning $password and passing $passwd to the tool. I think error may be at one of the three places.Someone please help and if possible provide the code too.

Gautam Kumar
  • 1,162
  • 3
  • 14
  • 29
  • When you call the program with the `#` sign in the password, is the password quoted? `#` is the comment sign in perl. Can you show some code? – simbabque May 07 '12 at 07:04
  • I have added the calling part now.please see. – Gautam Kumar May 07 '12 at 07:06
  • You already said that the *reading* routine is working correctly. You should show us the part where you pass the password to another tool. – Kilian Foth May 07 '12 at 07:51
  • This is the line in which I pass the password to tool, cc -c https://URL OF THE TOOL:$server -d $domain -t $appl -u $userid -p $passwd; \n"; – Gautam Kumar May 07 '12 at 07:57
  • 1
    @gautamkumar Apparently the shell does it. You should at least *quote* the password (or pass it as null-terminated string, if possible). – Alois Mahdal May 07 '12 at 08:02
  • you mean to say i should pass it as "$passwd" instead of $passwd as bwlow.. cc -c https://cmsmain.wdf.sap.corp:$server -d $domain -t $appl -u $userid -p "$passwd";lsc --developed; \n"; – Gautam Kumar May 07 '12 at 08:05
  • ...and please use ``backticks` also in comments – Alois Mahdal May 07 '12 at 08:05
  • Can anyone please cross check the code for calling the password() sub routine, returning $password and passing $passwd to the tool.I think error may be at one of the three places.Please help if you can.Thanks in advance.please help..I need it urgently. – Gautam Kumar May 07 '12 at 08:25
  • @gautamkumar Please specify how you call it, what OS you are on (We can assume Windows but you could be also running Cygwin?) and what is your default shell interpreter? Putting the password in double quotes would be the least you could do, but then your code might break anyway if it contained double quote itself. I would also check the "cc" tool's documentation for safer way to pass data to it.... – Alois Mahdal May 07 '12 at 09:29
  • @AloisMahdal yes its windows...and where should i use double quote 1.in subroutine password() i.e. return "$password" OR 2.in main perl file while calling the subroutine password() i.e. $passwd = &password(); OR 3.while passing passord to toll i.e. cc -c https://url of tool:$server -d $domain -t $appl -u $userid -p $passwd;lsc --developed; – Gautam Kumar May 07 '12 at 09:36
  • You need to be more specific about how you pass the password to the tool. `cc -c URL ....` is not valid perl code. If it is command-line, then how do you pass the variables there? Using `system` or backticks? Some module? – TLP May 07 '12 at 13:03

2 Answers2

1

You are probably passing the user input to an external tool of some sort that doesn't support literal #, perhaps because it is interpreted as "start of comment". The shell is a likely suspect. But without sample code, it is impossible for us to be sure what your problem is.

Kilian Foth
  • 13,904
  • 5
  • 39
  • 57
1

It seems to me like issue with quoting on the shell side. Proper quoting rules are entirely dependent on your system's command shell. In bash, for example, you can often be fairly safe with something like -p '$password', while transliterating ' to \' in the Perl script. Or there could be a module for that, of which I'm not aware.

However, it's the "cc" thing you're passing data into. The tool could could support easier way to safely pass the password, i.e. avoid the need of quoting arbitrary data. Examples of such facilities are via STDIN, via external file (well that could be actually pretty unsafe :)) or as a null-terminated string. Or passing the hash only. So I'd look into the documentation.

Be aware that by passing user collected data into shell, you're posing a great security risk. Consider using Perl's Taint mode.

Update: You say it's Windows, so I should warn you: quoting for cmd.exe is one of the most complicated, painful and frustrating things I've ever done. Have a look at this question

Community
  • 1
  • 1
Alois Mahdal
  • 10,763
  • 7
  • 51
  • 69