Elegant system calls in haskell

Question

I'm making a web-site where users can log in using the kerberos service. Though, it's quite irrelevant for my problem.

Since I'm using kerberos I want to use a system call to invoke kinit, but I don't know the best way to do it.

So far I got:

module Kerberos where

system :: String -> IO ExitCode
-- system is loaded through imports

type Username = String
type Password = String

kerberosValidate :: Username -> Password -> IO Bool
kerberosValidate username password = fmap (== ExitSuccess) $ 
  system $ "echo " ++ password ++ " | kinit " ++ username 

Something like that, which should work so-so. I have three problems with this though.

• There is no escaping of the username and password strings. This is important since there being a website passing any received input to this function.
• Ideally password should not be passed to kinit process with echo password |. Is there some function taking standard in as an argument?
• Similarly for username, username should be passed as an argument. I think rawSystem solves this though.

Is there any system-function that helps me out here?

Answer 1

Use createProcess and friends from System.Process.

---

A note on security: I'd advise against passing any strings through uninterpreted. You could easily write a parser for your commands, build a Haskell AST out of the result of the parse that is guaranteed to be safe, then render that to the system command. That way you'd get a static guarantee against string injection attacks, enforced by the type of the parser.