diff --git a/config/cfgroot/general-functions.pl b/config/cfgroot/general-functions.pl index a6656ccf5..96a826a15 100644 --- a/config/cfgroot/general-functions.pl +++ b/config/cfgroot/general-functions.pl @@ -28,6 +28,77 @@ $General::adminmanualurl = 'http://wiki.ipfire.org'; require "${General::swroot}/network-functions.pl"; +# This function executes a shell command without forking a shell or do any other +# Perl-voodoo before it. It deprecates the "system" command and is the only way +# to call shell commands. +sub safe_system($) { + my @command = @_; + + system { ${command[0]} } @command; + + # Return exit code + return $? >> 8; +} + +# Calls a process in the background and returns nothing +sub system_background($) { + my $pid = fork(); + + unless ($pid) { + my $rc = &system(@_); + exit($rc); + } + + return 0; +} + +# Returns the output of a shell command +sub system_output($) { + my @command = @_; + my $pid; + my @output = (); + + unless ($pid = open(OUTPUT, "-|")) { + open(STDERR, ">&STDOUT"); + exec { ${command[0]} } @command; + die "Could not execute @command: $!"; + } + + waitpid($pid, 0); + + while () { + push(@output, $_); + } + close(OUTPUT); + + return @output; +} + +# Calls a shell command and throws away the output +sub system($) { + my @command = @_; + + open(SAVEOUT, ">&STDOUT"); + open(SAVEERR, ">&STDERR"); + + open(STDOUT, ">/dev/null"); + open(STDERR, ">&STDOUT"); + + select(STDERR); $|=1; + select(STDOUT); $|=1; + + my $rc = &safe_system(@command); + + close(STDOUT); + close(STDERR); + + # Restore + open(STDOUT, ">&SAVEOUT"); + open(STDERR, ">&SAVEERR"); + + return $rc; +} + # Function to remove duplicates from an array sub uniq { my %seen; grep !$seen{$_}++, @_ } diff --git a/config/cfgroot/ids-functions.pl b/config/cfgroot/ids-functions.pl index 2fdae4a7a..0e397ca19 100644 --- a/config/cfgroot/ids-functions.pl +++ b/config/cfgroot/ids-functions.pl @@ -118,7 +118,7 @@ sub check_and_create_filelayout() { # sub checkdiskspace () { # Call diskfree to gather the free disk space of /var. - my @df = `/bin/df -B M /var`; + my @df = &General::system_output("/bin/df", "-B", "M", "/var"); # Loop through the output. foreach my $line (@df) { @@ -463,7 +463,7 @@ sub call_suricatactrl ($) { # Call the suricatactrl binary and pass the "cron" command # with the requrested interval. - system("$suricatactrl $option $interval &>/dev/null"); + &General::system("$suricatactrl", "$option", "$interval"); # Return "1" - True. return 1; @@ -475,7 +475,7 @@ sub call_suricatactrl ($) { } else { # Call the suricatactrl binary and pass the requrested # option to it. - system("$suricatactrl $option &>/dev/null"); + &General::system("$suricatactrl", "$option"); # Return "1" - True. return 1; diff --git a/config/cfgroot/network-functions.pl b/config/cfgroot/network-functions.pl index 2f704dfbf..b7a840559 100644 --- a/config/cfgroot/network-functions.pl +++ b/config/cfgroot/network-functions.pl @@ -360,7 +360,7 @@ sub _get_wireless_status($) { my $intf = shift; if (!$wireless_status{$intf}) { - $wireless_status{$intf} = `iwconfig $intf`; + $wireless_status{$intf} = &General::system_output("iwconfig", "$intf"); } return $wireless_status{$intf}; diff --git a/html/cgi-bin/aliases.cgi b/html/cgi-bin/aliases.cgi index 4e61eb65e..85ed27204 100644 --- a/html/cgi-bin/aliases.cgi +++ b/html/cgi-bin/aliases.cgi @@ -567,7 +567,7 @@ sub SortDataFile # sub BuildConfiguration { # Restart service associated with this - system '/usr/local/bin/setaliases'; + &General::system('/usr/local/bin/setaliases'); } # diff --git a/html/cgi-bin/backup.cgi b/html/cgi-bin/backup.cgi index 683f8add4..84c015314 100644 --- a/html/cgi-bin/backup.cgi +++ b/html/cgi-bin/backup.cgi @@ -54,7 +54,7 @@ $cgiparams{'BACKUPLOGS'} = ''; ############################################################################################################################ ################################################ Workaround for Directories ################################################ -system("/usr/local/bin/backupctrl makedirs >/dev/null 2>&1 ") unless ( -e '/var/ipfire/backup/addons/backup') ; +&General::system("/usr/local/bin/backupctrl", "makedirs") unless ( -e '/var/ipfire/backup/addons/backup') ; ############################################################################################################################ ############################################## System calls ohne Http Header ############################################### @@ -85,7 +85,7 @@ if ($cgiparams{'ACTION'} eq "download") { print UPLOADFILE; } close UPLOADFILE; - system("/usr/local/bin/backupctrl restore >/dev/null 2>&1"); + &General::system("/usr/local/bin/backupctrl", "restore"); } elsif ( $cgiparams{'ACTION'} eq "restoreaddon" ) { @@ -99,7 +99,7 @@ elsif ( $cgiparams{'ACTION'} eq "restoreaddon" ) print UPLOADFILE; } close UPLOADFILE; - system("/usr/local/bin/backupctrl restoreaddon ".$temp[$#temp]." >/dev/null 2>&1"); + &General::system("/usr/local/bin/backupctrl", "restoreaddon", $temp[$#temp]); } &Header::showhttpheaders(); @@ -115,11 +115,11 @@ sub refreshpage{&Header::openbox( 'Waiting', 1, "/dev/null 2>&1"); + &General::system("/usr/local/bin/backupctrl", "include"); } elsif ( $cgiparams{'BACKUPLOGS'} eq "exclude" ) { - system("/usr/local/bin/backupctrl exclude >/dev/null 2>&1"); + &General::system("/usr/local/bin/backupctrl", "exclude"); } elsif ( $cgiparams{'BACKUPLOGS'} eq "iso" ) { - system("/usr/local/bin/backupctrl iso >/dev/null 2>&1"); + &General::system("/usr/local/bin/backupctrl", "iso"); } } if ( $cgiparams{'ACTION'} eq "addonbackup" ) @@ -130,14 +130,14 @@ if ( $cgiparams{'ACTION'} eq "addonbackup" ) # Check if the addon exists exit(1) unless (-e "/var/ipfire/backup/addons/includes/$cgiparams{'ADDON'}"); - system("/usr/local/bin/backupctrl addonbackup $cgiparams{'ADDON'} >/dev/null 2>&1"); + &General::system("/usr/local/bin/backupctrl", "addonbackup", "$cgiparams{'ADDON'}"); } elsif ( $cgiparams{'ACTION'} eq "delete" ) { my $file = &sanitise_file($cgiparams{'FILE'}); exit(1) unless defined($file); - system("/usr/local/bin/backupctrl $file >/dev/null 2>&1"); + &General::system("/usr/local/bin/backupctrl", "$file"); } ############################################################################################################################ diff --git a/html/cgi-bin/captive.cgi b/html/cgi-bin/captive.cgi index 51c5d45f2..ce666381c 100755 --- a/html/cgi-bin/captive.cgi +++ b/html/cgi-bin/captive.cgi @@ -64,7 +64,7 @@ my $errormessage=''; my $clients="${General::swroot}/captive/clients"; my %clientshash=(); my $settingsfile="${General::swroot}/captive/settings"; -unless (-e $settingsfile) { system("touch $settingsfile"); } +unless (-e $settingsfile) { &General::system("touch $settingsfile"); } &Header::getcgihash(\%cgiparams); diff --git a/html/cgi-bin/connections.cgi b/html/cgi-bin/connections.cgi index 8613b9d9b..00038f1a0 100644 --- a/html/cgi-bin/connections.cgi +++ b/html/cgi-bin/connections.cgi @@ -146,6 +146,9 @@ if ($netsettings{'RED_DEV'}) { } } +# Call safe system_output function to get all available routes. +my @all_routes = &General::system_output("/sbin/route", "-n"); + # Add Green Firewall Interface push(@network, $netsettings{'GREEN_ADDRESS'}); push(@masklen, "255.255.255.255" ); @@ -157,7 +160,7 @@ push(@masklen, $netsettings{'GREEN_NETMASK'} ); push(@colour, ${Header::colourgreen} ); # Add Green Routes to Array -my @routes = `/sbin/route -n | /bin/grep $netsettings{'GREEN_DEV'}`; +my @routes = grep (/$netsettings{'GREEN_DEV'}/, @all_routes); foreach my $route (@routes) { chomp($route); my @temp = split(/[\t ]+/, $route); @@ -178,7 +181,7 @@ if ($netsettings{'BLUE_DEV'}) { push(@colour, ${Header::colourblue} ); # Add Blue Routes to Array - @routes = `/sbin/route -n | /bin/grep $netsettings{'BLUE_DEV'}`; + @routes = grep(/$netsettings{'BLUE_DEV'}/, @all_routes); foreach my $route (@routes) { chomp($route); my @temp = split(/[\t ]+/, $route); @@ -199,7 +202,7 @@ if ($netsettings{'ORANGE_DEV'}) { push(@masklen, $netsettings{'ORANGE_NETMASK'} ); push(@colour, ${Header::colourorange} ); # Add Orange Routes to Array - @routes = `/sbin/route -n | /bin/grep $netsettings{'ORANGE_DEV'}`; + @routes = grep(/$netsettings{'ORANGE_DEV'}/, @all_routes); foreach my $route (@routes) { chomp($route); my @temp = split(/[\t ]+/, $route); diff --git a/html/cgi-bin/ddns.cgi b/html/cgi-bin/ddns.cgi index 7e4ddb5b7..e30aa3d4f 100644 --- a/html/cgi-bin/ddns.cgi +++ b/html/cgi-bin/ddns.cgi @@ -342,7 +342,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'edit'}) { # Handle forced updates. # if ($settings{'ACTION'} eq $Lang::tr{'instant update'}) { - system(@ddnsprog) == 0 or die "@ddnsprog failed: $?\n"; + &General::system(@ddnsprog) == 0 or die "@ddnsprog failed: $?\n"; } # diff --git a/html/cgi-bin/dhcp.cgi b/html/cgi-bin/dhcp.cgi index 388c4d240..f1fbfd235 100644 --- a/html/cgi-bin/dhcp.cgi +++ b/html/cgi-bin/dhcp.cgi @@ -130,6 +130,15 @@ open(FILE, "$filename2") or die 'Unable to open fixed leases file.'; our @current2 = ; close(FILE); +# Open and read-in file which contains the list of allowed advanced options. +open(FILE, $filename3) or die "Could not open $filename3. $!\n"; + +# Grab file content. +my @advoptions_list = ; + +# Close file handle. +close(FILE); + # Check Settings1 first because they are needed by &buildconf if ($dhcpsettings{'ACTION'} eq $Lang::tr{'save'}) { foreach my $itf (@ITFs) { @@ -338,7 +347,7 @@ if ($dhcpsettings{'ACTION'} eq $Lang::tr{'add'}.'1' && map ($dhcpsettings{"ADVOPT_SCOPE_$_"} = 'off', @ITFs); # force global } elsif (ValidNewOption ($dhcpsettings{'ADVOPT_NAME'} . ' ' . $dhcpsettings{'ADVOPT_DATA'})) { #was a new option - } elsif (! `grep "\$option $dhcpsettings{'ADVOPT_NAME'} " $filename3`) { + } elsif (! grep(/option $dhcpsettings{'ADVOPT_NAME'}/, @advoptions_list)) { $errormessage=$Lang::tr{'dhcp advopt unknown'}.': '.$dhcpsettings{'ADVOPT_NAME'}; } @@ -714,7 +723,20 @@ if ($dhcpsettings{'KEY1'} ne '') { } #search if the 'option' is in the list and print the syntax model -my $opt = `grep "\$option $dhcpsettings{'ADVOPT_NAME'} " $filename3`; +my $opt; + +# Check if a advanced option name is set. +if ($dhcpsettings{'ADVOPT_NAME'}) { + # Check if the name is part of the list and grab syntax. + my @opt = grep(/option $dhcpsettings{'ADVOPT_NAME'}/, @advoptions_list); + + # Assign array element to variable. + $opt = @opt[0]; + + # Remove newlines. + chomp($opt); +} + if ($opt ne '') { $opt =~ s/option $dhcpsettings{'ADVOPT_NAME'}/Syntax:/; # "option xyz abc" => "syntax: abc" $opt =~ s/;//; @@ -1330,7 +1352,7 @@ sub buildconf { print FILE "}\n\n"; } - system ('/usr/bin/touch', "${General::swroot}/dhcp/enable_${lc_itf}"); + &General::system('/usr/bin/touch', "${General::swroot}/dhcp/enable_${lc_itf}"); &General::log("DHCP on ${itf}: " . $Lang::tr{'dhcp server enabled'}) } else { unlink "${General::swroot}/dhcp/enable_${lc_itf}"; @@ -1357,9 +1379,9 @@ sub buildconf { } print FILE "include \"${General::swroot}/dhcp/dhcpd.conf.local\";\n"; close FILE; - if ( $dhcpsettings{"ENABLE_GREEN"} eq 'on' || $dhcpsettings{"ENABLE_BLUE"} eq 'on' ) {system '/usr/local/bin/dhcpctrl enable >/dev/null 2>&1';} - else {system '/usr/local/bin/dhcpctrl disable >/dev/null 2>&1';} - system '/usr/local/bin/dhcpctrl restart >/dev/null 2>&1 &'; + if ( $dhcpsettings{"ENABLE_GREEN"} eq 'on' || $dhcpsettings{"ENABLE_BLUE"} eq 'on' ) {&General::system('/usr/local/bin/dhcpctrl', 'enable');} + else {&General::system('/usr/local/bin/dhcpctrl', 'disable');} + &General::system_background('/usr/local/bin/dhcpctrl', 'restart'); } # diff --git a/html/cgi-bin/dns.cgi b/html/cgi-bin/dns.cgi index 7dc113582..0a34d3fd6 100755 --- a/html/cgi-bin/dns.cgi +++ b/html/cgi-bin/dns.cgi @@ -48,8 +48,8 @@ my $settings_file = "${General::swroot}/dns/settings"; my $servers_file = "${General::swroot}/dns/servers"; # Create files if the does not exist. -unless (-f $settings_file) { system("touch $settings_file") }; -unless (-f $servers_file) { system("touch $servers_file") }; +unless (-f $settings_file) { &General::system("touch", "$settings_file") }; +unless (-f $servers_file) { &General::system("touch", "$servers_file") }; # File which stores the ISP assigned DNS servers. my @ISP_nameserver_files = ( "/var/run/dns1", "/var/run/dns2" ); @@ -844,7 +844,7 @@ sub _handle_unbound_and_more () { &IDS::call_suricatactrl("restart"); } # Restart unbound - system('/usr/local/bin/unboundctrl reload >/dev/null'); + &General::system('/usr/local/bin/unboundctrl', 'reload'); } # Check if the system is online (RED is connected). diff --git a/html/cgi-bin/dnsforward.cgi b/html/cgi-bin/dnsforward.cgi index 749d1216a..e2843a81f 100644 --- a/html/cgi-bin/dnsforward.cgi +++ b/html/cgi-bin/dnsforward.cgi @@ -124,7 +124,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'add'}) } } # Restart unbound - system('/usr/local/bin/unboundctrl reload >/dev/null'); + &General::system('/usr/local/bin/unboundctrl', 'reload'); } ### @@ -142,7 +142,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'remove'}) } close(FILE); # Restart unbound. - system('/usr/local/bin/unboundctrl reload >/dev/null'); + &General::system('/usr/local/bin/unboundctrl', 'reload'); } ### @@ -169,7 +169,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'toggle enable disable'}) } close(FILE); # Restart unbound. - system('/usr/local/bin/unboundctrl reload >/dev/null'); + &General::system('/usr/local/bin/unboundctrl', 'reload'); } ### diff --git a/html/cgi-bin/extrahd.cgi b/html/cgi-bin/extrahd.cgi index aaf42baff..154efd7b2 100644 --- a/html/cgi-bin/extrahd.cgi +++ b/html/cgi-bin/extrahd.cgi @@ -53,8 +53,8 @@ my $partitionsfile = "/var/ipfire/extrahd/partitions"; my @dummy = ( ${Header::colourgreen}, ${Header::colourred} ); undef (@dummy); -system("/usr/local/bin/extrahdctrl scanhd ide >/dev/null"); -system("/usr/local/bin/extrahdctrl scanhd partitions >/dev/null"); +&General::system("/usr/local/bin/extrahdctrl", "scanhd", "ide"); +&General::system("/usr/local/bin/extrahdctrl", "scanhd", "partitions"); &Header::showhttpheaders(); @@ -98,12 +98,12 @@ if ($extrahdsettings{'ACTION'} eq $Lang::tr{'add'}) UUID=$extrahdsettings{'UUID'};$extrahdsettings{'FS'};$extrahdsettings{'PATH'}; END ; - system("/usr/local/bin/extrahdctrl mount $extrahdsettings{'PATH'}"); + &General::system("/usr/local/bin/extrahdctrl", "mount", "$extrahdsettings{'PATH'}"); } } elsif ($extrahdsettings{'ACTION'} eq $Lang::tr{'delete'}) { - if ( `/usr/local/bin/extrahdctrl umount $extrahdsettings{'PATH'}` ) { + if ( &General::system("/usr/local/bin/extrahdctrl", "umount", "$extrahdsettings{'PATH'}")) { open( FILE, "< $devicefile" ) or die "Unable to read $devicefile"; @tmp = ; close FILE; @@ -143,7 +143,11 @@ END { @deviceline = split( /\;/, $deviceentry ); my $color="$Header::colourred"; - if ( ! `/bin/mountpoint $deviceline[2] | grep " not "` ) { + + # Use safe system_output to get mountpoint details. + my @mountpoint = &General::system_output("/bin/mountpoint", "$deviceline[2]"); + + if ( ! grep(/not/, @mountpoint)) { $color=$Header::colourgreen; } print <$configfile"); + close(FILE); + $fireinfosettings{'ENABLE_FIREINFO'} = 'on'; } else { &General::log($Lang::tr{'fireinfo is disabled'}); unlink "$configfile"; $fireinfosettings{'ENABLE_FIREINFO'} = 'off'; } - system("/usr/local/bin/fireinfoctrl &"); + &General::system_background("/usr/local/bin/fireinfoctrl"); } &Header::openpage('Fireinfo', 1, ''); @@ -84,9 +88,13 @@ if ($errormessage) { &Header::closebox(); } -my $ipfire_version = `cat /etc/system-release`; +# Get IPFire version string. +open(FILE, "/etc/system-release"); +my $ipfire_version = ; +close(FILE); + my $pakfire_version = &Pakfire::make_version(); -my $kernel_version = `uname -a`; +my $kernel_version = &General::system_output("uname", "-a"); &Header::openbox('100%', 'left', $Lang::tr{'fireinfo system version'}); print <; +close(FILE); print "
\n"; # Read profile ID from file -my $profile_id = `cat /var/ipfire/fireinfo/public_id`; +open(FILE, "/var/ipfire/fireinfo/public_id"); +my $profile_id = ; +close(FILE); chomp($profile_id); &Header::openbox('100%', 'left', $Lang::tr{'fireinfo settings'}); @@ -157,7 +169,7 @@ print < - + diff --git a/html/cgi-bin/firewall.cgi b/html/cgi-bin/firewall.cgi index 4f4d63cc8..70dee8d3c 100644 --- a/html/cgi-bin/firewall.cgi +++ b/html/cgi-bin/firewall.cgi @@ -38,11 +38,11 @@ require "${General::swroot}/header.pl"; require "${General::swroot}/location-functions.pl"; require "/usr/lib/firewall/firewall-lib.pl"; -unless (-d "${General::swroot}/firewall") { system("mkdir ${General::swroot}/firewall"); } -unless (-e "${General::swroot}/firewall/settings") { system("touch ${General::swroot}/firewall/settings"); } -unless (-e "${General::swroot}/firewall/config") { system("touch ${General::swroot}/firewall/config"); } -unless (-e "${General::swroot}/firewall/input") { system("touch ${General::swroot}/firewall/input"); } -unless (-e "${General::swroot}/firewall/outgoing") { system("touch ${General::swroot}/firewall/outgoing"); } +unless (-d "${General::swroot}/firewall") { &General::system("mkdir", "${General::swroot}/firewall"); } +unless (-e "${General::swroot}/firewall/settings") { &General::system("touch", "${General::swroot}/firewall/settings"); } +unless (-e "${General::swroot}/firewall/config") { &General::system("touch", "${General::swroot}/firewall/config"); } +unless (-e "${General::swroot}/firewall/input") { &General::system("touch", "${General::swroot}/firewall/input"); } +unless (-e "${General::swroot}/firewall/outgoing") { &General::system("touch", "${General::swroot}/firewall/outgoing"); } my %fwdfwsettings=(); my %selected=() ; diff --git a/html/cgi-bin/fwhosts.cgi b/html/cgi-bin/fwhosts.cgi index 84b018459..35611ac08 100644 --- a/html/cgi-bin/fwhosts.cgi +++ b/html/cgi-bin/fwhosts.cgi @@ -75,12 +75,12 @@ my $fwoptions = "${General::swroot}/optionsfw/settings"; my $configovpn = "${General::swroot}/ovpn/settings"; my $configipsecrw = "${General::swroot}/vpn/settings"; -unless (-e $confignet) { system("touch $confignet"); } -unless (-e $confighost) { system("touch $confighost"); } -unless (-e $configgrp) { system("touch $configgrp"); } -unless (-e $configsrv) { system("touch $configsrv"); } -unless (-e $configsrvgrp) { system("touch $configsrvgrp"); } -unless (-e $configlocationgrp) { system("touch $configlocationgrp"); } +unless (-e $confignet) { &General::system("touch", "$confignet"); } +unless (-e $confighost) { &General::system("touch", "$confighost"); } +unless (-e $configgrp) { &General::system("touch", "$configgrp"); } +unless (-e $configsrv) { &General::system("touch", "$configsrv"); } +unless (-e $configsrvgrp) { &General::system("touch", "$configsrvgrp"); } +unless (-e $configlocationgrp) { &General::system("touch $configlocationgrp"); } &General::readhash("${General::swroot}/main/settings", \%mainsettings); &General::readhash("/srv/web/ipfire/html/themes/ipfire/include/colors.txt", \%color); diff --git a/html/cgi-bin/gpl.cgi b/html/cgi-bin/gpl.cgi index be1ea2639..140fd2178 100644 --- a/html/cgi-bin/gpl.cgi +++ b/html/cgi-bin/gpl.cgi @@ -60,7 +60,19 @@ END ; if ( -e "/usr/share/doc/licenses/GPLv3" ) { print ''; } else { diff --git a/html/cgi-bin/guardian.cgi b/html/cgi-bin/guardian.cgi index 552c67211..8ffe57f11 100644 --- a/html/cgi-bin/guardian.cgi +++ b/html/cgi-bin/guardian.cgi @@ -67,8 +67,8 @@ my $settingsfile = "${General::swroot}/guardian/settings"; my $ignoredfile = "${General::swroot}/guardian/ignored"; # Create empty settings and ignoredfile if they do not exist yet. -unless (-e "$settingsfile") { system("touch $settingsfile"); } -unless (-e "$ignoredfile") { system("touch $ignoredfile"); } +unless (-e "$settingsfile") { &General::system("touch", "$settingsfile"); } +unless (-e "$ignoredfile") { &General::system("touch", "$ignoredfile"); } our %settings = (); our %ignored = (); @@ -878,7 +878,7 @@ sub BuildConfiguration() { my $configfile = "${General::swroot}/guardian/guardian.conf"; # Create the configfile if none exists yet. - unless (-e "$configfile") { system("touch $configfile"); } + unless (-e "$configfile") { &General::system("touch", "$configfile"); } # Open configfile for writing. open(FILE, ">$configfile"); @@ -940,11 +940,11 @@ sub BuildConfiguration() { &Guardian::Socket::Client("reload"); } else { # Launch guardian. - system("/usr/local/bin/addonctrl guardian start &>/dev/null"); + &General::system("/usr/local/bin/addonctrl", "guardian", "start"); } } else { # Stop the daemon. - system("/usr/local/bin/addonctrl guardian stop &>/dev/null"); + &General::system("/usr/local/bin/addonctrl", "guardian", "stop"); } } @@ -955,7 +955,7 @@ sub GenerateIgnoreFile() { &General::readhasharray($ignoredfile, \%ignored); # Create the guardian.ignore file if not exist yet. - unless (-e "$ignorefile") { system("touch $ignorefile"); } + unless (-e "$ignorefile") { &General::system("touch", "$ignorefile"); } # Open ignorefile for writing. open(FILE, ">$ignorefile"); diff --git a/html/cgi-bin/gui.cgi b/html/cgi-bin/gui.cgi index 1b316a2a2..820296fe2 100644 --- a/html/cgi-bin/gui.cgi +++ b/html/cgi-bin/gui.cgi @@ -70,7 +70,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") # Set flag if index page is to refresh whilst ppp is up. # Default is NO refresh. if ($cgiparams{'REFRESHINDEX'} ne 'off') { - system ('/usr/bin/touch', "${General::swroot}/main/refreshindex"); + &General::system('/usr/bin/touch', "${General::swroot}/main/refreshindex"); } else { unlink "${General::swroot}/main/refreshindex"; } @@ -78,7 +78,7 @@ if ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") # Beep on ip-up or ip-down. Default is ON. if ($cgiparams{'PPPUPDOWNBEEP'} ne 'on') { $cgiparams{'PPPUPDOWNBEEP'} = 'off'; - system ('/usr/bin/touch', "${General::swroot}/red/nobeeps"); + &General::system('/usr/bin/touch', "${General::swroot}/red/nobeeps"); } else { unlink "${General::swroot}/red/nobeeps"; } diff --git a/html/cgi-bin/hardwaregraphs.cgi b/html/cgi-bin/hardwaregraphs.cgi index 813d32f7b..e8f0fa362 100644 --- a/html/cgi-bin/hardwaregraphs.cgi +++ b/html/cgi-bin/hardwaregraphs.cgi @@ -38,12 +38,55 @@ my %mainsettings = (); my %sensorsettings = (); my @sensorsgraphs = (); -my @sensorsdir = `ls -dA $mainsettings{'RRDLOG'}/collectd/localhost/sensors-*/`; -foreach (@sensorsdir){ - chomp($_);chop($_); - foreach (`ls $_/*`){ - chomp($_); - push(@sensorsgraphs,$_); + +# Main directory where rrdlog puts the sensor data. +my $sensorsdir = "$mainsettings{'RRDLOG'}/collectd/localhost"; + +# Open sensors directory. +opendir(SENSORS, "$sensorsdir") or die "Could not opendir $sensorsdir: $!\n"; + +# Read-in all sensors. +my @sensor_dirs = readdir(SENSORS); + +# Close directory handle. +closedir(SENSORS); + +# Loop through the grabbed sensors. +foreach my $sensor_dir (@sensor_dirs) { + # Skip everything which does not start with "sensors-". + next unless $sensor_dir =~ /^sensors-/; + + # Check if the omitet element is a directory. + next unless (-d "$sensorsdir/$sensor_dir"); + + # Open sensor directory and lookup for sensors. + opendir(SENSOR_DIR, "$sensorsdir/$sensor_dir") or die "Could not opendir $sensorsdir/$sensor_dir: $!\n"; + + # Grab single sensors from the directory. + my @sensors = readdir(SENSOR_DIR); + + # Close directory handle. + closedir(SENSOR_DIR); + + # Loop through the omited sensors. + foreach my $sensor (@sensors) { + # Skip everything which is not a regular file. + next unless (-f "$sensorsdir/$sensor_dir/$sensor"); + + # Add sensor to the array of sensorsgrapghs. + push(@sensorsgraphs, "$sensorsdir/$sensor_dir/$sensor"); + } +} + +# Look for ACPI Thermal Zone sensors. +my @thermal_zone_sensors = grep(/thermal-thermal_zone/, @sensor_dirs); + +# If a thermal zone sensor has been found add it to the sensorsgraphs array. +if (@thermal_zone_sensors) { + # Loop through the array of thermal zone sensors. + foreach my $thermal_zone_sensor (@thermal_zone_sensors) { + # Add the sensor to the array. + push(@sensorsgraphs, "$sensorsdir/$thermal_zone_sensor"); } } @@ -97,7 +140,9 @@ if ( $querry[0] =~ "hwtemp"){ &General::writehash("${General::swroot}/sensors/settings", \%sensorsettings); } - my @disks = `ls -1 /sys/block | grep -E '^sd|^nvme' | sort | uniq`; + # This should be save, because no user given content will be processed. + #my @disks = `ls -1 /sys/block | grep -E '^sd|^nvme' | sort | uniq`; + my @disks = &get_disks(); foreach (@disks){ my $disk = $_; @@ -109,31 +154,31 @@ if ( $querry[0] =~ "hwtemp"){ &Header::closebox(); } - if ( `ls $mainsettings{'RRDLOG'}/collectd/localhost/thermal-thermal_zone* 2>/dev/null` ) { + if ( grep(/thermal-thermal_zone/, @sensorsgraphs) ) { &Header::openbox('100%', 'center', "ACPI Thermal-Zone Temp $Lang::tr{'graph'}"); &Graphs::makegraphbox("hardwaregraphs.cgi","thermaltemp","day"); &Header::closebox(); } - if ( `ls $mainsettings{'RRDLOG'}/collectd/localhost/sensors-*/temperature-* 2>/dev/null` ) { + if ( grep(/temperature-/, @sensorsgraphs) ) { &Header::openbox('100%', 'center', "hwtemp $Lang::tr{'graph'}"); &Graphs::makegraphbox("hardwaregraphs.cgi","hwtemp","day"); Header::closebox(); } - if ( `ls $mainsettings{'RRDLOG'}/collectd/localhost/sensors-*/fanspeed-* 2>/dev/null` ) { + if ( grep(/fanspeed-/, @sensorsgraphs) ) { &Header::openbox('100%', 'center', "hwfan $Lang::tr{'graph'}"); &Graphs::makegraphbox("hardwaregraphs.cgi","hwfan","day"); &Header::closebox(); } - if ( `ls $mainsettings{'RRDLOG'}/collectd/localhost/sensors-*/voltage-* 2>/dev/null` ) { + if ( grep(/voltage-/, @sensorsgraphs) ) { &Header::openbox('100%', 'center', "hwvolt $Lang::tr{'graph'}"); &Graphs::makegraphbox("hardwaregraphs.cgi","hwvolt","day"); &Header::closebox(); } - if ( `ls $mainsettings{'RRDLOG'}/collectd/localhost/sensors-* 2>/dev/null` ) { + if ( @sensorsgraphs ) { sensorsbox(); } &Header::closebigbox(); @@ -175,3 +220,40 @@ END ; &Header::closebox(); } + +sub get_disks () { + my @disks; + + # Open virtal sys FS and grab block devices. + opendir(SYS, "/sys/block") or die "Could not opendir /sys/block/: $!\n"; + + # Grab all available block devices. + my @blockdevs = readdir(SYS); + + # Close directory handle. + closedir(SYS); + + # Loop through the array of blockdevs. + foreach my $dev (@blockdevs) { + # Skip all devices which does not start with "sd" or "nvme". + next unless (( $dev =~ /^sd/) || ($dev =~ /^nvme/)); + + # Add the device to the array of disks. + push(@disks, $dev); + } + + # Remove duplicates. + my @disks = &uniq(@disks); + + # Sort the array. + my @disks = sort(@disks); + + # Return the array. + return @disks; +} + +# Tiny code snipped to get a uniq() like function. +sub uniq { + my %seen; + return grep { !$seen{$_}++ } @_; +} diff --git a/html/cgi-bin/hosts.cgi b/html/cgi-bin/hosts.cgi index d9e9cb0af..a99d1364a 100644 --- a/html/cgi-bin/hosts.cgi +++ b/html/cgi-bin/hosts.cgi @@ -487,6 +487,6 @@ sub SortDataFile # Build the configuration file # sub BuildConfiguration { - system '/usr/local/bin/rebuildhosts'; - system '/usr/local/bin/unboundctrl reload &>/dev/null'; + &General::system('/usr/local/bin/rebuildhosts'); + &General::system('/usr/local/bin/unboundctrl', 'reload'); } diff --git a/html/cgi-bin/index.cgi b/html/cgi-bin/index.cgi index 4ac237d0f..fafbe0aa1 100644 --- a/html/cgi-bin/index.cgi +++ b/html/cgi-bin/index.cgi @@ -118,10 +118,10 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'dial profile'}) } if ($cgiparams{'ACTION'} eq $Lang::tr{'dial'}) { - system('/usr/local/bin/redctrl start > /dev/null') == 0 + &General::system('/usr/local/bin/redctrl', 'start') == 0 or &General::log("Dial failed: $?"); sleep 1; }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'hangup'}) { - system('/usr/local/bin/redctrl stop > /dev/null') == 0 + &General::system('/usr/local/bin/redctrl', 'stop') == 0 or &General::log("Hangup failed: $?"); sleep 1; } diff --git a/html/cgi-bin/mac.cgi b/html/cgi-bin/mac.cgi index 161be3421..f4c5aa2d4 100644 --- a/html/cgi-bin/mac.cgi +++ b/html/cgi-bin/mac.cgi @@ -94,7 +94,7 @@ if ($macsettings{'ACTION'} eq $Lang::tr{'save'}) { } } if ($macsettings{'ACTION'} eq $Lang::tr{'reconnect'}) { - system("/usr/local/bin/redctrl restart >/dev/null 2>&1 &"); + &General::system_background("/usr/local/bin/redctrl", "restart"); &Header::openbox('100%', 'left', $Lang::tr{'mac address recon'} ); print "$Lang::tr{'mac address done'}\n"; &Header::closebox(); @@ -107,7 +107,7 @@ if ($macsettings{'ACTION'} eq $Lang::tr{'delete'} ) { } if ($macsettings{'ACTION'} eq $Lang::tr{'reboot'}) { &General::log($Lang::tr{'rebooting ipfire'}); - system("/usr/local/bin/ipfirereboot boot"); + &General::system("/usr/local/bin/ipfirereboot", "boot"); &Header::openbox('100%', 'left', $Lang::tr{'rebooting ipfire'} ); print "  

"; print ""; diff --git a/html/cgi-bin/mdstat.cgi b/html/cgi-bin/mdstat.cgi index d476e074d..9ee2b15a1 100644 --- a/html/cgi-bin/mdstat.cgi +++ b/html/cgi-bin/mdstat.cgi @@ -42,7 +42,13 @@ my %mainsettings = (); &Header::openbox('100%', 'left',"MD Raid State"); print ''; &Header::closebox(); diff --git a/html/cgi-bin/memory.cgi b/html/cgi-bin/memory.cgi index 89fa7d14a..dea7e3668 100644 --- a/html/cgi-bin/memory.cgi +++ b/html/cgi-bin/memory.cgi @@ -56,7 +56,7 @@ if ( $querry[0] =~ "memory"){ &Graphs::makegraphbox("memory.cgi","memory","day"); &Header::closebox(); - if ( `ls $mainsettings{'RRDLOG'}/collectd/localhost/swap 2>/dev/null` ) { + if (-f $mainsettings{'RRDLOG'}/collectd/localhost/swap) { &Header::openbox('100%', 'center', "Swap $Lang::tr{'graph'}"); &Graphs::makegraphbox("memory.cgi","swap","day"); &Header::closebox(); diff --git a/html/cgi-bin/modem.cgi b/html/cgi-bin/modem.cgi index a13f8b265..bf5080d01 100644 --- a/html/cgi-bin/modem.cgi +++ b/html/cgi-bin/modem.cgi @@ -57,7 +57,7 @@ ERROR: if ($modemsettings{'ACTION'} eq $Lang::tr{'restore defaults'}) { - system('/bin/cp', "${General::swroot}/modem/defaults", "${General::swroot}/modem/settings", '-f'); + &General::system("cp", "-f", "${General::swroot}/modem/defaults", "${General::swroot}/modem/settings"); } &General::readhash("${General::swroot}/modem/settings", \%modemsettings); diff --git a/html/cgi-bin/mpfire.cgi b/html/cgi-bin/mpfire.cgi index c8cfc4b11..ea83d1db1 100644 --- a/html/cgi-bin/mpfire.cgi +++ b/html/cgi-bin/mpfire.cgi @@ -231,7 +231,7 @@ if ( $mpfiresettings{'ACTION'} eq "scan" ){ $mpd->updatedb(); refreshpage(); }elsif ( $mpfiresettings{'ACTION'} eq "playweb" ){ - $message=system("/usr/local/bin/mpfirectrl","playweb","\"$mpfiresettings{'FILE'}\"","2>/dev/null"); + $message= &General::system_output("/usr/local/bin/mpfirectrl","playweb","\"$mpfiresettings{'FILE'}\""); }elsif ( $mpfiresettings{'ACTION'} eq "playlist" ){ $mpd->play(); }elsif ( $mpfiresettings{'ACTION'} eq "emptyplaylist" ){ diff --git a/html/cgi-bin/netexternal.cgi b/html/cgi-bin/netexternal.cgi index a31502dd0..1e3760c2b 100644 --- a/html/cgi-bin/netexternal.cgi +++ b/html/cgi-bin/netexternal.cgi @@ -86,8 +86,7 @@ if ( $querry[0] ne~ ""){ &General::readhash("${General::swroot}/dhcpc/dhcpcd-$netsettings{'RED_DEV'}.info", \%dhcpinfo); - my $DNS1=`echo $dhcpinfo{'domain_name_servers'} | cut -f 1 -d " "`; - my $DNS2=`echo $dhcpinfo{'domain_name_servers'} | cut -f 2 -d " "`; + my ($DNS1, $DNS2) = split(/ /, $dhcpinfo{'domain_name_servers'}); my $lsetme=0; my $leasetime=""; diff --git a/html/cgi-bin/optionsfw.cgi b/html/cgi-bin/optionsfw.cgi index 321642e82..1ecf4f180 100644 --- a/html/cgi-bin/optionsfw.cgi +++ b/html/cgi-bin/optionsfw.cgi @@ -49,7 +49,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { if ($settings{'defpol'} ne '1'){ $errormessage .= $Lang::tr{'new optionsfw later'}; &General::writehash($filename, \%settings); # Save good settings - system("/usr/local/bin/firewallctrl"); + &General::system("/usr/local/bin/firewallctrl"); }else{ if ($settings{'POLICY'} ne ''){ $fwdfwsettings{'POLICY'} = $settings{'POLICY'}; @@ -64,7 +64,7 @@ if ($settings{'ACTION'} eq $Lang::tr{'save'}) { $fwdfwsettings{'POLICY1'} = "$MODE1"; &General::writehash("${General::swroot}/firewall/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); - system("/usr/local/bin/firewallctrl"); + &General::system("/usr/local/bin/firewallctrl"); } &General::readhash($filename, \%settings); # Load good settings } diff --git a/html/cgi-bin/ovpnmain.cgi b/html/cgi-bin/ovpnmain.cgi index b98d88529..077f5ab6c 100644 --- a/html/cgi-bin/ovpnmain.cgi +++ b/html/cgi-bin/ovpnmain.cgi @@ -192,10 +192,10 @@ sub newcleanssldatabase close FILE; } if (! -s ">${General::swroot}/ovpn/certs/index.txt") { - system ("touch ${General::swroot}/ovpn/certs/index.txt"); + &General::system("touch", "${General::swroot}/ovpn/certs/index.txt"); } if (! -s ">${General::swroot}/ovpn/certs/index.txt.attr") { - system ("touch ${General::swroot}/ovpn/certs/index.txt.attr"); + &General::system("touch", "${General::swroot}/ovpn/certs/index.txt.attr"); } unlink ("${General::swroot}/ovpn/certs/index.txt.old"); unlink ("${General::swroot}/ovpn/certs/index.txt.attr.old"); @@ -220,18 +220,21 @@ sub pkiconfigcheck { # Warning if DH parameter is 1024 bit if (-f "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}") { - my $dhparameter = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}`; - my @dhbit = ($dhparameter =~ /(\d+)/); - if ($1 < 2048) { - $cryptoerror = "$Lang::tr{'ovpn error dh'}"; - goto CRYPTO_ERROR; + my @dhparameter = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"); + + foreach my $line (@dhparameter) { + my @dhbit = ($line =~ /(\d+)/); + if ($1 < 2048) { + $cryptoerror = "$Lang::tr{'ovpn error dh'}"; + goto CRYPTO_ERROR; + } } } # Warning if md5 is in usage if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $signature = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($signature =~ /md5WithRSAEncryption/) { + my @signature = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if (grep(/md5WithRSAEncryption/, @signature) ) { $cryptoerror = "$Lang::tr{'ovpn error md5'}"; goto CRYPTO_ERROR; } @@ -241,8 +244,8 @@ sub pkiconfigcheck # Warning if certificate is not compliant to RFC3280 TLS rules if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $extendkeyusage = `/usr/bin/openssl x509 -noout -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($extendkeyusage !~ /TLS Web Server Authentication/) { + my @extendkeyusage = &General::system_output("/usr/bin/openssl", "x509", "-noout", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if ( ! grep(/TLS Web Server Authentication/, @extendkeyusage)) { $cryptowarning = "$Lang::tr{'ovpn warning rfc3280'}"; goto CRYPTO_WARNING; } @@ -734,7 +737,7 @@ sub writecollectdconf { close(COLLECTDVPN); # Reload collectd afterwards - system("/usr/local/bin/collectdctrl restart &>/dev/null"); + &General::system("/usr/local/bin/collectdctrl", "restart"); } #hier die refresh page @@ -764,11 +767,11 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'} || #start openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'start ovpn server'}){ &emptyserverlog(); - system('/usr/local/bin/openvpnctrl', '-s'); + &General::system("/usr/local/bin/openvpnctrl", "-s"); } #stop openvpn server if ($cgiparams{'ACTION'} eq $Lang::tr{'stop ovpn server'}){ - system('/usr/local/bin/openvpnctrl', '-k'); + &General::system("/usr/local/bin/openvpnctrl", "-k"); &emptyserverlog(); } # #restart openvpn server @@ -1075,8 +1078,8 @@ unless(-d "${General::swroot}/ovpn/n2nconf/$cgiparams{'NAME'}"){mkdir "${General # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. - my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($hostcert !~ /TLS Web Server Authentication/) { + my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if ( ! grep(/TLS Web Server Authentication/, @hostcert)) { print CLIENTCONF "ns-cert-type server\n"; } else { print CLIENTCONF "remote-cert-tls server\n"; @@ -1196,7 +1199,8 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg # Create ta.key for tls-auth if not presant if ($cgiparams{'TLSAUTH'} eq 'on') { if ( ! -e "${General::swroot}/ovpn/certs/ta.key") { - system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); + # This system call is safe, because all arguements are passed as an array. + system("/usr/sbin/openvpn", "--genkey", "--secret", "${General::swroot}/ovpn/certs/ta.key"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; goto SETTINGS_ERROR; @@ -1219,9 +1223,24 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg $vpnsettings{'TLSAUTH'} = $cgiparams{'TLSAUTH'}; #wrtie enable - if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_blue 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_blue 2>/dev/null");} - if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable_orange 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable_orange 2>/dev/null");} - if ( $vpnsettings{'ENABLED'} eq 'on' ) {system("touch ${General::swroot}/ovpn/enable 2>/dev/null");}else{system("unlink ${General::swroot}/ovpn/enable 2>/dev/null");} + if ( $vpnsettings{'ENABLED_BLUE'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable_blue"); + } else { + unlink(${General::swroot}/ovpn/enable_blue); + } + + if ( $vpnsettings{'ENABLED_ORANGE'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable_orange"); + } else { + unlink("${General::swroot}/ovpn/enable_orange"); + } + + if ( $vpnsettings{'ENABLED'} eq 'on' ) { + &General::system("touch", "${General::swroot}/ovpn/enable"); + } else { + unlink("${General::swroot}/ovpn/enable"); + } + #new settings for daemon &General::writehash("${General::swroot}/ovpn/settings", \%vpnsettings); &writeserverconf();#hier ok @@ -1234,7 +1253,7 @@ SETTINGS_ERROR: &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); # Kill all N2N connections - system("/usr/local/bin/openvpnctrl -kn2n &>/dev/null"); + &General::system("/usr/local/bin/openvpnctrl", "-kn2n"); foreach my $key (keys %confighash) { my $name = $confighash{$cgiparams{'$key'}}[1]; @@ -1243,7 +1262,7 @@ SETTINGS_ERROR: delete $confighash{$cgiparams{'$key'}}; } - system ("/usr/local/bin/openvpnctrl -drrd $name &>/dev/null"); + &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$name"); } while ($file = glob("${General::swroot}/ovpn/ca/*")) { unlink $file; @@ -1282,7 +1301,7 @@ SETTINGS_ERROR: close FILE; } while ($file = glob("${General::swroot}/ovpn/n2nconf/*")) { - system ("rm -rf $file"); + unlink($file); } # Remove everything from the collectd configuration @@ -1328,7 +1347,8 @@ END unlink "${General::swroot}/ovpn/ca/$cgiparams{'DH_NAME'}"; } # Create Diffie Hellmann Parameter - system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); + # The system call is safe, because all arguments are passed as an array. + system("/usr/bin/openssl", "dhparam", "-out", "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; unlink ("${General::swroot}/ovpn/ca/dh1024.pem"); @@ -1397,8 +1417,8 @@ END $errormessage = $!; goto UPLOADCA_ERROR; } - my $temp = `/usr/bin/openssl dhparam -text -in $filename`; - if ($temp !~ /DH Parameters: \((2048|3072|4096) bit\)/) { + my @temp = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "$filename"); + if ( ! grep(/DH Parameters: \((2048|3072|4096) bit\)/, @temp)) { $errormessage = $Lang::tr{'not a valid dh key'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -1454,8 +1474,8 @@ END $errormessage = $!; goto UPLOADCA_ERROR; } - my $temp = `/usr/bin/openssl x509 -text -in $filename`; - if ($temp !~ /CA:TRUE/i) { + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename"); + if ( ! grep(/CA:TRUE/i, @temp )) { $errormessage = $Lang::tr{'not a valid ca certificate'}; unlink ($filename); goto UPLOADCA_ERROR; @@ -1468,11 +1488,19 @@ END } } - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; + @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cgiparams{'CA_NAME'}cert.pem"); + my $casubject; + + foreach my $line (@casubject) { + if ($line =~ /Subject: (.*)[\n]/) { + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + + last; + } + } + $casubject = &Header::cleanhtml($casubject); my $key = &General::findhasharraykey (\%cahash); @@ -1494,9 +1522,9 @@ END &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', $errormessage); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ca certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -1515,7 +1543,10 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem"); + print "@tmp"; + exit(0); } else { $errormessage = $Lang::tr{'invalid key'}; @@ -1530,8 +1561,8 @@ END if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { # Delete connection # if ($vpnsettings{'ENABLED'} eq 'on' || # $vpnsettings{'ENABLED_BLUE'} eq 'on') { @@ -1561,8 +1592,8 @@ END my $assignedcerts = 0; if ( -f "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) { foreach my $key (keys %confighash) { - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + if (grep(/: OK/, @test)) { $assignedcerts++; } } @@ -1601,19 +1632,19 @@ END ### }elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} || $cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) { - my $output; + my @output; &Header::showhttpheaders(); &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) { &Header::openbox('100%', 'LEFT', "$Lang::tr{'root certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); } else { &Header::openbox('100%', 'LEFT', "$Lang::tr{'host certificate'}:"); - $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; + @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); } - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -1627,7 +1658,10 @@ END if ( -f "${General::swroot}/ovpn/ca/cacert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=cacert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/ca/cacert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); + print "@tmp"; + exit(0); } @@ -1638,7 +1672,10 @@ END if ( -f "${General::swroot}/ovpn/certs/servercert.pem" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=servercert.pem\r\n\r\n"; - print `/usr/bin/openssl x509 -in ${General::swroot}/ovpn/certs/servercert.pem`; + + my @tmp = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + print "@tmp"; + exit(0); } @@ -1649,7 +1686,13 @@ END if ( -f "${General::swroot}/ovpn/certs/ta.key" ) { print "Content-Type: application/octet-stream\r\n"; print "Content-Disposition: filename=ta.key\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; + + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @tmp = ; + close(FILE); + + print "@tmp"; + exit(0); } @@ -1926,6 +1969,7 @@ END } # Sign the host certificate request + # This system call is safe, because all argeuments are passed as an array. system('/usr/bin/openssl', 'ca', '-days', '999999', '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/serverreq.pem", @@ -1947,6 +1991,7 @@ END } # Create an empty CRL + # System call is safe, because all arguments are passed as array. system('/usr/bin/openssl', 'ca', '-gencrl', '-out', "${General::swroot}/ovpn/crls/cacrl.pem", '-config', "${General::swroot}/ovpn/openssl/ovpn.cnf" ); @@ -1962,6 +2007,7 @@ END # &cleanssldatabase(); } # Create ta.key for tls-auth + # This system call is safe, because all arguments are passed as an array. system('/usr/sbin/openvpn', '--genkey', '--secret', "${General::swroot}/ovpn/certs/ta.key"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; @@ -1969,6 +2015,7 @@ END goto ROOTCERT_ERROR; } # Create Diffie Hellmann Parameter + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'dhparam', '-out', "${General::swroot}/ovpn/ca/dh1024.pem", "$cgiparams{'DHLENGHT'}"); if ($?) { $errormessage = "$Lang::tr{'openssl produced an error'}: $?"; @@ -2083,7 +2130,7 @@ END } ROOTCERT_SUCCESS: - system ("chmod 600 ${General::swroot}/ovpn/certs/serverkey.pem"); + &General::system("chmod", "600", "${General::swroot}/ovpn/certs/serverkey.pem"); # if ($vpnsettings{'ENABLED'} eq 'on' || # $vpnsettings{'ENABLE_BLUE'} eq 'on') { # system('/usr/local/bin/ipsecctrl', 'S'); @@ -2101,8 +2148,12 @@ END &General::readhash("${General::swroot}/ovpn/settings", \%vpnsettings); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); -# my $n2nactive = ''; - my $n2nactive = `/bin/ps ax|grep $confighash{$cgiparams{'KEY'}}[1]|grep -v grep|awk \'{print \$1}\'`; + my $n2nactive = ''; + my @ps = &General::system_output("/bin/ps", "ax"); + + if(grep(/$confighash{$cgiparams{'KEY'}}[1]/, @ps)) { + $n2nactive = "1"; + } if ($confighash{$cgiparams{'KEY'}}) { if ($confighash{$cgiparams{'KEY'}}[0] eq 'off') { @@ -2110,7 +2161,7 @@ END &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); + &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]"); &writecollectdconf(); } } else { @@ -2120,7 +2171,7 @@ END if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ if ($n2nactive ne '') { - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]"); &writecollectdconf(); } @@ -2204,8 +2255,8 @@ if ($confighash{$cgiparams{'KEY'}}[3] eq 'net'){ # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. - my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($hostcert !~ /TLS Web Server Authentication/) { + my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if (! grep(/TLS Web Server Authentication/, @hostcert)) { print CLIENTCONF "ns-cert-type server\n"; } else { print CLIENTCONF "remote-cert-tls server\n"; @@ -2315,6 +2366,7 @@ else $zip->addFile("${General::swroot}/ovpn/ca/cacert.pem", "cacert.pem") or die "Can't add file cacert.pem\n"; # Extract the certificate + # This system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-clcerts', '-nokeys', '-nodes', '-out', "$file_crt" , '-passin', 'pass:'); if ($?) { @@ -2325,6 +2377,7 @@ else print CLIENTCONF ";cert $confighash{$cgiparams{'KEY'}}[1].pem\r\n"; # Extract the key + # This system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'pkcs12', '-in', "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12", '-nocerts', '-nodes', '-out', "$file_key", '-passin', 'pass:'); if ($?) { @@ -2361,8 +2414,8 @@ else # Check host certificate if X509 is RFC3280 compliant. # If not, old --ns-cert-type directive will be used. # If appropriate key usage extension exists, new --remote-cert-tls directive will be used. - my $hostcert = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - if ($hostcert !~ /TLS Web Server Authentication/) { + my @hostcert = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + if (! grep(/TLS Web Server Authentication/, @hostcert)) { print CLIENTCONF "ns-cert-type server\r\n"; } else { print CLIENTCONF "remote-cert-tls server\r\n"; @@ -2464,8 +2517,8 @@ else if ($confighash{$cgiparams{'KEY'}}) { # Revoke certificate if certificate was deleted and rewrite the CRL - my $temp = `/usr/bin/openssl ca -revoke ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; - my $tempA = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::system("/usr/bin/openssl", "ca", "-revoke", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf)"; + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); ### # m.a.d net2net @@ -2473,7 +2526,7 @@ else if ($confighash{$cgiparams{'KEY'}}[3] eq 'net') { # Stop the N2N connection before it is removed - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]"); my $conffile = glob("${General::swroot}/ovpn/n2nconf/$confighash{$cgiparams{'KEY'}}[1]/$confighash{$cgiparams{'KEY'}}[1].conf"); my $certfile = glob("${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); @@ -2515,10 +2568,10 @@ else # CCD end # Update collectd configuration and delete all RRD files of the removed connection &writecollectdconf(); - system ('/usr/local/bin/openvpnctrl', '-drrd', $confighash{$cgiparams{'KEY'}}[1]); + &General::system("/usr/local/bin/openvpnctrl", "-drrd", "$confighash{$cgiparams{'KEY'}}[1]"); delete $confighash{$cgiparams{'KEY'}}; - my $temp2 = `/usr/bin/openssl ca -gencrl -out ${General::swroot}/ovpn/crls/cacrl.pem -config ${General::swroot}/ovpn/openssl/ovpn.cnf`; + &General::system("/usr/bin/openssl", "ca", "-gencrl", "-out", "${General::swroot}/ovpn/crls/cacrl.pem", "-config", "${General::swroot}/ovpn/openssl/ovpn.cnf"); &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); } else { @@ -2534,7 +2587,12 @@ else print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n"; print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12`; + + open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1].p12"); + my @tmp = ; + close(FILE); + + print "@tmp"; exit (0); ### @@ -2548,9 +2606,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'certificate'}:"); - my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2570,9 +2628,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'dh'}:"); - my $output = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2592,9 +2650,13 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'ta key'}:"); - my $output = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @output = ; + close(FILE); + + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -2615,9 +2677,9 @@ else &Header::openpage($Lang::tr{'ovpn'}, 1, ''); &Header::openbigbox('100%', 'LEFT', '', ''); &Header::openbox('100%', 'LEFT', "$Lang::tr{'crl'}:"); - my $output = `/usr/bin/openssl crl -text -noout -in ${General::swroot}/ovpn/crls/cacrl.pem`; - $output = &Header::cleanhtml($output,"y"); - print "
$output
\n"; + my @output = &General::system_output("/usr/bin/openssl", "crl", "-text", "-noout", "-in", "${General::swroot}/ovpn/crls/cacrl.pem"); + @output = &Header::cleanhtml(@output,"y"); + print "
@output
\n"; &Header::closebox(); print ""; &Header::closebigbox(); @@ -3105,7 +3167,12 @@ END if ( -f "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") { print "Content-Disposition: filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\r\n"; print "Content-Type: application/octet-stream\r\n\r\n"; - print `/bin/cat ${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`; + + open(FILE, "${General::swroot}/ovpn/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem"); + my @tmp = ; + close(FILE); + + print "@tmp"; exit (0); } @@ -4031,6 +4098,7 @@ if ($cgiparams{'TYPE'} eq 'net') { # Sign the certificate request and move it # Sign the host certificate request + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', $filename, @@ -4047,11 +4115,19 @@ if ($cgiparams{'TYPE'} eq 'net') { &deletebackupcert(); } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + my $temp; + + foreach my $line (@temp) { + if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) { + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + + last; + } + } + $cgiparams{'CERT_NAME'} = $temp; $cgiparams{'CERT_NAME'} =~ s/,//g; $cgiparams{'CERT_NAME'} =~ s/\'//g; @@ -4077,13 +4153,13 @@ if ($cgiparams{'TYPE'} eq 'net') { # Verify the certificate has a valid CA and move it my $validca = 0; - my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/cacert.pem $filename`; - if ($test =~ /: OK/) { + my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/cacert.pem", "$filename"); + if (grep(/: OK/, @test)) { $validca = 1; } else { foreach my $key (keys %cahash) { - $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem $filename`; - if ($test =~ /: OK/) { + @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ovpn/ca/$cahash{$key}[0]cert.pem", "$filename"); + if (grep(/: OK/, @test)) { $validca = 1; } } @@ -4101,11 +4177,19 @@ if ($cgiparams{'TYPE'} eq 'net') { } } - my $temp = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem`; - $temp =~ /Subject:.*CN\s?=\s?(.*)[\n]/; - $temp = $1; - $temp =~ s+/Email+, E+; - $temp =~ s/ ST=/ S=/; + my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem"); + my $temp; + + foreach my $line (@temp) { + if ($line =~ /Subject:.*CN\s?=\s?(.*)[\n]/) { + $temp = $1; + $temp =~ s+/Email+, E+; + $temp =~ s/ ST=/ S=/; + + last; + } + } + $cgiparams{'CERT_NAME'} = $temp; $cgiparams{'CERT_NAME'} =~ s/,//g; $cgiparams{'CERT_NAME'} =~ s/\'//g; @@ -4232,6 +4316,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } # Sign the host certificate request + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'ca', '-days', "$cgiparams{'DAYS_VALID'}", '-batch', '-notext', '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}req.pem", @@ -4250,6 +4335,7 @@ if ($cgiparams{'TYPE'} eq 'net') { } # Create the pkcs12 file + # The system call is safe, because all arguments are passed as an array. system('/usr/bin/openssl', 'pkcs12', '-export', '-inkey', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}key.pem", '-in', "${General::swroot}/ovpn/certs/$cgiparams{'NAME'}cert.pem", @@ -4415,21 +4501,24 @@ if ($cgiparams{'TYPE'} eq 'net') { if ($cgiparams{'TYPE'} eq 'net') { - if (-e "/var/run/$confighash{$key}[1]n2n.pid") { - system('/usr/local/bin/openvpnctrl', '-kn2n', $confighash{$cgiparams{'KEY'}}[1]); + if (-e "/var/run/$confighash{$key}[1]n2n.pid") { + &General::system("/usr/local/bin/openvpnctrl", "-kn2n", "$confighash{$cgiparams{'KEY'}}[1]"); - &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - my $key = $cgiparams{'KEY'}; - if (! $key) { - $key = &General::findhasharraykey (\%confighash); - foreach my $i (0 .. 31) { $confighash{$key}[$i] = "";} - } - $confighash{$key}[0] = 'on'; - &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); + my $key = $cgiparams{'KEY'}; + if (! $key) { + $key = &General::findhasharraykey (\%confighash); + foreach my $i (0 .. 31) { + $confighash{$key}[$i] = ""; + } + } + + $confighash{$key}[0] = 'on'; + &General::writehasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - system('/usr/local/bin/openvpnctrl', '-sn2n', $confighash{$cgiparams{'KEY'}}[1]); - } - } + &General::system("/usr/local/bin/openvpnctrl", "-sn2n", "$confighash{$cgiparams{'KEY'}}[1]"); + } + } ### # m.a.d n2n end @@ -5046,7 +5135,9 @@ END &General::readhasharray("${General::swroot}/ovpn/caconfig", \%cahash); &General::readhasharray("${General::swroot}/ovpn/ovpnconfig", \%confighash); - my @status = `/bin/cat /var/run/ovpnserver.log`; + open(FILE, "/var/run/ovpnserver.log"); + my @status = ; + close(FILE); if ($cgiparams{'VPN_IP'} eq '' && -e "${General::swroot}/red/active") { if (open(IPADDR, "${General::swroot}/red/local-ipaddress")) { @@ -5358,9 +5449,17 @@ END #} else { #print " "; #} - my $cavalid = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem`; - $cavalid =~ /Not After : (.*)[\n]/; - $cavalid = $1; + my @cavalid = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/$confighash{$key}[1]cert.pem"); + my $cavalid; + + foreach my $line (@cavalid) { + if ($line =~ /Not After : (.*)[\n]/) { + $cavalid = $1; + + last; + } + } + print "$confighash{$key}[25]"; $col1="bgcolor='${Header::colourred}'"; my $active = "$Lang::tr{'capsclosed'}"; @@ -5571,11 +5670,19 @@ END my $col4="bgcolor='$color{'color20'}'"; if (-f "${General::swroot}/ovpn/ca/cacert.pem") { - my $casubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/ca/cacert.pem`; - $casubject =~ /Subject: (.*)[\n]/; - $casubject = $1; - $casubject =~ s+/Email+, E+; - $casubject =~ s/ ST=/ S=/; + my @casubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/ca/cacert.pem"); + my $casubject; + + foreach my $line (@casubject) { + if ($line =~ /Subject: (.*)[\n]/) { + $casubject = $1; + $casubject =~ s+/Email+, E+; + $casubject =~ s/ ST=/ S=/; + + last; + } + } + print < $Lang::tr{'root certificate'} @@ -5605,11 +5712,18 @@ END } if (-f "${General::swroot}/ovpn/certs/servercert.pem") { - my $hostsubject = `/usr/bin/openssl x509 -text -in ${General::swroot}/ovpn/certs/servercert.pem`; - $hostsubject =~ /Subject: (.*)[\n]/; - $hostsubject = $1; - $hostsubject =~ s+/Email+, E+; - $hostsubject =~ s/ ST=/ S=/; + my @hostsubject = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ovpn/certs/servercert.pem"); + my $hostsubject; + + foreach my $line (@hostsubject) { + if ($line =~ /Subject: (.*)[\n]/) { + $hostsubject = $1; + $hostsubject =~ s+/Email+, E+; + $hostsubject =~ s/ ST=/ S=/; + + last; + } + } print < @@ -5641,10 +5755,16 @@ END # Adding DH parameter to chart if (-f "${General::swroot}/ovpn/ca/dh1024.pem") { - my $dhsubject = `/usr/bin/openssl dhparam -text -in ${General::swroot}/ovpn/ca/dh1024.pem`; - $dhsubject =~ / (.*)[\n]/; - $dhsubject = $1; + my @dhsubject = &System_output("/usr/bin/openssl", "dhparam", "-text", "-in", "${General::swroot}/ovpn/ca/dh1024.pem"); + my $dhsubject; + foreach my $line (@dhsubject) { + if ($line =~ / (.*)[\n]/) { + $dhsubject = $1; + + last; + } + } print < @@ -5674,9 +5794,19 @@ END # Adding ta.key to chart if (-f "${General::swroot}/ovpn/certs/ta.key") { - my $tasubject = `/bin/cat ${General::swroot}/ovpn/certs/ta.key`; - $tasubject =~ /# (.*)[\n]/; - $tasubject = $1; + open(FILE, "${General::swroot}/ovpn/certs/ta.key"); + my @tasubject = ; + close(FILE); + + my $tasubject; + foreach my $line (@tasubject) { + if($line =~ /# (.*)[\n]/) { + $tasubject = $1; + + last; + } + } + print < diff --git a/html/cgi-bin/pakfire.cgi b/html/cgi-bin/pakfire.cgi index faaeb4222..631587ce2 100644 --- a/html/cgi-bin/pakfire.cgi +++ b/html/cgi-bin/pakfire.cgi @@ -57,12 +57,10 @@ sub refreshpage{&Header::openbox( 'Waiting', 1, "$Lang::tr{'pakfire install package'}.$cgiparams{'INSPAKS'}.$Lang::tr{'pakfire possible dependency'} 
@@ -97,12 +95,10 @@ END
 
 	$cgiparams{'DELPAKS'} =~ s/\|/\ /g;
 	if ("$cgiparams{'FORCE'}" eq "on") {
-		my $command = "/usr/local/bin/pakfire remove --non-interactive --no-colors $cgiparams{'DELPAKS'} &>/dev/null &";
-		system("$command");
-		system("/bin/sleep 1");
+		&General::system_background("/usr/local/bin/pakfire", "remove", "--non-interactive", "--no-colors", $cgiparams{'DELPAKS'});
 	} else {
 		&Header::openbox("100%", "center", $Lang::tr{'request'});
-		my @output = `/usr/local/bin/pakfire resolvedeps --no-colors $cgiparams{'DELPAKS'}`;
+		my @output = &General::system_output("/usr/local/bin/pakfire", "resolvedeps", "--no-colors", $cgiparams{'DELPAKS'});
 		print <$Lang::tr{'pakfire uninstall package'}.$cgiparams{'DELPAKS'}.$Lang::tr{'pakfire possible dependency'}
 		
@@ -135,13 +131,9 @@ END
 	}
 
 } elsif (($cgiparams{'ACTION'} eq 'update') && (! -e $Pakfire::lockfile)) {
-
-	system("/usr/local/bin/pakfire update --force --no-colors &>/dev/null &");
-	system("/bin/sleep 1");
+	&General::system_background("/usr/local/bin/pakfire", "update", "--force", "--no-colors");
 } elsif (($cgiparams{'ACTION'} eq 'upgrade') && (!-e $Pakfire::lockfile)) {
-	my $command = "/usr/local/bin/pakfire upgrade -y --no-colors &>/dev/null &";
-	system("$command");
-	system("/bin/sleep 1");
+	&General::system_background("/usr/local/bin/pakfire", "upgrade", "-y", "--no-colors");
 } elsif ($cgiparams{'ACTION'} eq "$Lang::tr{'save'}") {
 	$pakfiresettings{"TREE"} = $cgiparams{"TREE"};
 
@@ -154,7 +146,7 @@ END
 		&General::writehash("${General::swroot}/pakfire/settings", \%pakfiresettings);
 
 		# Update lists
-		system("/usr/local/bin/pakfire update --force --no-colors &>/dev/null &");
+		&General::system_background("/usr/local/bin/pakfire", "update", "--force", "--no-colors");
 	}
 }
 
diff --git a/html/cgi-bin/pppsetup.cgi b/html/cgi-bin/pppsetup.cgi
index 7597bfbc7..519a062bc 100644
--- a/html/cgi-bin/pppsetup.cgi
+++ b/html/cgi-bin/pppsetup.cgi
@@ -39,6 +39,8 @@ my %checked=();
 my @profilenames=();
 my $errormessage = '';
 my $maxprofiles = 5;
+
+# This call is safe, because no user input will be processed.
 my $kernel=`/bin/uname -r | /usr/bin/tr -d '\012'`;
 
 my %color = ();
@@ -177,7 +179,12 @@ elsif ($pppsettings{'ACTION'} eq $Lang::tr{'save'})
                 $errormessage = $Lang::tr{'invalid input'};
                 goto ERROR; }
 
-        if( $pppsettings{'RECONNECTION'} eq 'dialondemand' && `/bin/cat ${General::swroot}/ddns/config` =~ /,on$/m ) {
+	# Read-in ddns config file, to check if at least one provider is enabled.
+	open(FILE, "${General::swroot}/ddns/config)";
+	my @ddns_config = 
+	close(FILE);
+
+        if( $pppsettings{'RECONNECTION'} eq 'dialondemand' && grep(/on/, @ddns_config) ) {
                 $errormessage = $Lang::tr{'dod not compatible with ddns'};
                 goto ERROR; }
 
@@ -520,7 +527,12 @@ print </dev/null | grep 0`;
+# Read-in atm devices from proc.
+open(PROC, "/proc/net/atm/devices");
+my @patm_devices = ;
+close(PROC);
+
+my $atmdev = grep(/0/, @atm_devices);
 chomp ($atmdev);
 if ($atmdev ne '') {
         print </${General::swroot}/ppp/updatesettings");
+	close(FILE);
 }
 
 sub writesecrets
diff --git a/html/cgi-bin/proxy.cgi b/html/cgi-bin/proxy.cgi
index b3c2d0713..78ad33ad2 100644
--- a/html/cgi-bin/proxy.cgi
+++ b/html/cgi-bin/proxy.cgi
@@ -32,7 +32,7 @@ require "${General::swroot}/header.pl";
 
 require "${General::swroot}/ids-functions.pl";
 
-my @squidversion = `/usr/sbin/squid -v`;
+my @squidversion = &General::system_output("/usr/sbin/squid", "-v");
 my $http_port='81';
 my $https_port='444';
 
@@ -131,35 +131,35 @@ unless (-d "$raddir")   { mkdir("$raddir"); }
 unless (-d "$identdir") { mkdir("$identdir"); }
 unless (-d "$credir")   { mkdir("$credir"); }
 
-unless (-e $cre_groups)  { system("touch $cre_groups"); }
-unless (-e $cre_svhosts) { system("touch $cre_svhosts"); }
+unless (-e $cre_groups)  { &General::system("touch", "$cre_groups"); }
+unless (-e $cre_svhosts) { &General::system("touch $cre_svhosts"); }
 
-unless (-e $userdb) { system("touch $userdb"); }
-unless (-e $stdgrp) { system("touch $stdgrp"); }
-unless (-e $extgrp) { system("touch $extgrp"); }
-unless (-e $disgrp) { system("touch $disgrp"); }
+unless (-e $userdb) { &General::system("touch", "$userdb"); }
+unless (-e $stdgrp) { &General::system("touch", "$stdgrp"); }
+unless (-e $extgrp) { &General::system("touch", "$extgrp"); }
+unless (-e $disgrp) { &General::system("touch", "$disgrp"); }
 
-unless (-e $acl_src_subnets)    { system("touch $acl_src_subnets"); }
-unless (-e $acl_src_banned_ip)  { system("touch $acl_src_banned_ip"); }
-unless (-e $acl_src_banned_mac) { system("touch $acl_src_banned_mac"); }
-unless (-e $acl_src_unrestricted_ip)  { system("touch $acl_src_unrestricted_ip"); }
-unless (-e $acl_src_unrestricted_mac) { system("touch $acl_src_unrestricted_mac"); }
-unless (-e $acl_src_noaccess_ip)  { system("touch $acl_src_noaccess_ip"); }
-unless (-e $acl_src_noaccess_mac) { system("touch $acl_src_noaccess_mac"); }
-unless (-e $acl_dst_noauth)     { system("touch $acl_dst_noauth"); }
-unless (-e $acl_dst_noauth_dom) { system("touch $acl_dst_noauth_dom"); }
-unless (-e $acl_dst_noauth_net) { system("touch $acl_dst_noauth_net"); }
-unless (-e $acl_dst_noauth_url) { system("touch $acl_dst_noauth_url"); }
-unless (-e $acl_dst_nocache)     { system("touch $acl_dst_nocache"); }
-unless (-e $acl_dst_nocache_dom) { system("touch $acl_dst_nocache_dom"); }
-unless (-e $acl_dst_nocache_net) { system("touch $acl_dst_nocache_net"); }
-unless (-e $acl_dst_nocache_url) { system("touch $acl_dst_nocache_url"); }
-unless (-e $acl_dst_throttle)  { system("touch $acl_dst_throttle"); }
-unless (-e $acl_ports_safe) { system("touch $acl_ports_safe"); }
-unless (-e $acl_ports_ssl)  { system("touch $acl_ports_ssl"); }
-unless (-e $acl_include) { system("touch $acl_include"); }
+unless (-e $acl_src_subnets)    { &General::system("touch", "$acl_src_subnets"); }
+unless (-e $acl_src_banned_ip)  { &General::system("touch", "$acl_src_banned_ip"); }
+unless (-e $acl_src_banned_mac) { &General::system("touch", "$acl_src_banned_mac"); }
+unless (-e $acl_src_unrestricted_ip)  { &General::system("touch", "$acl_src_unrestricted_ip"); }
+unless (-e $acl_src_unrestricted_mac) { &General::system("touch", "$acl_src_unrestricted_mac"); }
+unless (-e $acl_src_noaccess_ip)  { &General::system("touch", "$acl_src_noaccess_ip"); }
+unless (-e $acl_src_noaccess_mac) { &General::system("touch", "$acl_src_noaccess_mac"); }
+unless (-e $acl_dst_noauth)     { &General::system("touch", "$acl_dst_noauth"); }
+unless (-e $acl_dst_noauth_dom) { &General::system("touch", "$acl_dst_noauth_dom"); }
+unless (-e $acl_dst_noauth_net) { &General::system("touch", "$acl_dst_noauth_net"); }
+unless (-e $acl_dst_noauth_url) { &General::system("touch", "$acl_dst_noauth_url"); }
+unless (-e $acl_dst_nocache)     { &General::system("touch", "$acl_dst_nocache"); }
+unless (-e $acl_dst_nocache_dom) { &General::system("touch", "$acl_dst_nocache_dom"); }
+unless (-e $acl_dst_nocache_net) { &General::system("touch", "$acl_dst_nocache_net"); }
+unless (-e $acl_dst_nocache_url) { &General::system("touch", "$acl_dst_nocache_url"); }
+unless (-e $acl_dst_throttle)  { &General::system("touch", "$acl_dst_throttle"); }
+unless (-e $acl_ports_safe) { &General::system("touch", "$acl_ports_safe"); }
+unless (-e $acl_ports_ssl)  { &General::system("touch", "$acl_ports_ssl"); }
+unless (-e $acl_include) { &General::system("touch", "$acl_include"); }
 
-unless (-e $mimetypes) { system("touch $mimetypes"); }
+unless (-e $mimetypes) { &General::system("touch", "$mimetypes"); }
 
 my $HAVE_NTLM_AUTH = (-e "/usr/bin/ntlm_auth");
 
@@ -383,7 +383,7 @@ if (($proxysettings{'ACTION'} eq $Lang::tr{'save'}) || ($proxysettings{'ACTION'}
 		$errormessage = $Lang::tr{'advproxy errmsg mem cache size'};
 		goto ERROR;
 	}
-	my @free = `/usr/bin/free`;
+	my @free = &General::system_output("/usr/bin/free");
 	$free[1] =~ m/(\d+)/;
 	$cachemem = int $1 / 2048;
 	if ($proxysettings{'CACHE_MEM'} > $cachemem) {
@@ -630,25 +630,25 @@ ERROR:
 
 		if ($proxysettings{'CACHEMGR'} eq 'on'){&writecachemgr;}
 
-		system ('/usr/local/bin/squidctrl', 'disable');
+		&General::system ('/usr/local/bin/squidctrl', 'disable');
 		unlink "${General::swroot}/proxy/enable";
 		unlink "${General::swroot}/proxy/transparent";
 		unlink "${General::swroot}/proxy/enable_blue";
 		unlink "${General::swroot}/proxy/transparent_blue";
 
 		if ($proxysettings{'ENABLE'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/proxy/enable");
-			system ('/usr/local/bin/squidctrl', 'enable'); }
+			&General::system('/usr/bin/touch', "${General::swroot}/proxy/enable");
+			&General::system('/usr/local/bin/squidctrl', 'enable'); }
 		if ($proxysettings{'TRANSPARENT'} eq 'on' && $proxysettings{'ENABLE'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
+			&General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent"); }
 		if ($proxysettings{'ENABLE_BLUE'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
-			system ('/usr/local/bin/squidctrl', 'enable'); }
+			&General::system('/usr/bin/touch', "${General::swroot}/proxy/enable_blue");
+			&General::system('/usr/local/bin/squidctrl', 'enable'); }
 		if ($proxysettings{'TRANSPARENT_BLUE'} eq 'on' && $proxysettings{'ENABLE_BLUE'} eq 'on') {
-			system ('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
+			&General::system('/usr/bin/touch', "${General::swroot}/proxy/transparent_blue"); }
 
-		if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
-		if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { system('/usr/local/bin/squidctrl reconfigure >/dev/null 2>&1'); }
+		if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy save and restart'}) { &General::system('/usr/local/bin/squidctrl', 'restart'); }
+		if ($proxysettings{'ACTION'} eq $Lang::tr{'proxy reconfigure'}) { &General::system('/usr/local/bin/squidctrl', 'reconfigure'); }
 
 		# Check if the suricata_proxy_ports_changed flag has been set.
 		if ($suricata_proxy_ports_changed) {
@@ -663,7 +663,7 @@ ERROR:
 
 if ($proxysettings{'ACTION'} eq $Lang::tr{'advproxy clear cache'})
 {
-	system('/usr/local/bin/squidctrl flush >/dev/null 2>&1');
+	&General::system('/usr/local/bin/squidctrl', 'flush');
 }
 
 if (!$errormessage)
diff --git a/html/cgi-bin/qos.cgi b/html/cgi-bin/qos.cgi
index 1825aca11..fa566b523 100644
--- a/html/cgi-bin/qos.cgi
+++ b/html/cgi-bin/qos.cgi
@@ -104,7 +104,7 @@ $qossettings{'TOS'} = '';
 &General::readhash("${General::swroot}/qos/settings", \%qossettings);
 &Header::getcgihash(\%qossettings);
 
-$qossettings{'RED_DEV'} = `cat /var/ipfire/red/iface`;
+$qossettings{'RED_DEV'} = &General::get_red_interface();
 
 my %color = ();
 my %mainsettings = ();
@@ -232,7 +232,7 @@ END
 	open( FILE, "< $level7file" ) or die "Unable to read $level7file";
 	@l7rules = ;
 	close FILE;
-  system("rm $level7file");
+	&General::system("rm", "$level7file");
   	foreach $l7ruleentry (sort @l7rules)
   	{
   		@l7ruleline = split( /\;/, $l7ruleentry );
@@ -244,13 +244,13 @@ END
 	        close FILE;
         }
 	  }
-	open( FILE, "< $level7file" ) or system("touch $level7file");close FILE;
+	open( FILE, "< $level7file" ) or &General::system("touch", "$level7file");close FILE;
 	} elsif ($qossettings{'DOLEVEL7'} eq $Lang::tr{'edit'})
 {
 	open( FILE, "< $level7file" ) or die "Unable to read $level7file";
 	@l7rules = ;
 	close FILE;
-	system("rm $level7file");
+	&General::system("rm", "$level7file");
   	foreach $l7ruleentry (sort @l7rules)
   	{
   		@l7ruleline = split( /\;/, $l7ruleentry );
@@ -263,7 +263,7 @@ END
       }
     }
   &level7rule;
-  open( FILE, "< $level7file" ) or system("touch $level7file");close FILE;
+  open( FILE, "< $level7file" ) or &General::system("touch", "$level7file");close FILE;
  }
 
 ############################################################################################################################
@@ -323,7 +323,7 @@ END
 	open( FILE, "< $portfile" ) or die "Unable to read $portfile";
 	@portrules = ;
 	close FILE;
-	system("rm $portfile");
+	&General::system("rm", "$portfile");
   	foreach $portruleentry (sort @portrules)
   	{
   		@portruleline = split( /\;/, $portruleentry );
@@ -336,7 +336,7 @@ END
       }
     }
    &portrule;
-  open( FILE, "< $portfile" ) or system("touch $portfile");close FILE;
+  open( FILE, "< $portfile" ) or &General::system("touch", "$portfile");close FILE;
  }
 
 ############################################################################################################################
@@ -408,25 +408,25 @@ if ($qossettings{'ACTION'} eq $Lang::tr{'start'})
 {
 	$qossettings{'ENABLED'} = 'on';
 	&General::writehash("${General::swroot}/qos/settings", \%qossettings);
-	system("/usr/local/bin/qosctrl generate >/dev/null 2>&1");
-	system("/usr/local/bin/qosctrl start >/dev/null 2>&1");
-	system("logger -t ipfire 'QoS started'");
+	&General::system("/usr/local/bin/qosctrl", "generate");
+	&General::system("/usr/local/bin/qosctrl", "start");
+	&General::system("logger", "-t", "ipfire", "QoS started");
 }
 elsif ($qossettings{'ACTION'} eq $Lang::tr{'stop'})
 {
 	$qossettings{'ENABLED'} = 'off';
 	&General::writehash("${General::swroot}/qos/settings", \%qossettings);
-	system("/usr/local/bin/qosctrl stop >/dev/null 2>&1");
-	system("/usr/local/bin/qosctrl generate >/dev/null 2>&1");
-	system("logger -t ipfire 'QoS stopped'");
+	&General::system("/usr/local/bin/qosctrl", "stop");
+	&General::system("/usr/local/bin/qosctrl", "generate");
+	&General::system("logger", "-t", "ipfire", "QoS stopped");
 }
 elsif ($qossettings{'ACTION'} eq $Lang::tr{'restart'})
 {
 	if ($qossettings{'ENABLED'} eq 'on'){
-		system("/usr/local/bin/qosctrl stop >/dev/null 2>&1");
-		system("/usr/local/bin/qosctrl generate >/dev/null 2>&1");
-		system("/usr/local/bin/qosctrl start >/dev/null 2>&1");
-		system("logger -t ipfire 'QoS restarted'");
+		&General::system("/usr/local/bin/qosctrl", "stop");
+		&General::system("/usr/local/bin/qosctrl", "generate");
+		&General::system("/usr/local/bin/qosctrl", "start");
+		&General::system("logger", "-t", "ipfire", "QoS restarted");
 	}
 }
 elsif ($qossettings{'ACTION'} eq $Lang::tr{'save'})
@@ -530,9 +530,9 @@ END
 		$qossettings{'ACK'} ="101";
 		$qossettings{'ENABLED'} = 'on';
 		&General::writehash("${General::swroot}/qos/settings", \%qossettings);
-		system("/usr/local/bin/qosctrl generate >/dev/null 2>&1");
-		system("/usr/local/bin/qosctrl start >/dev/null 2>&1");
-		system("logger -t ipfire 'QoS started'");
+		&General::system("/usr/local/bin/qosctrl", "generate");
+		&General::system("/usr/local/bin/qosctrl", "start");
+		&General::system("logger", "-t", "ipfire", "QoS started");
 	} else {
 		$message = $Lang::tr{'qos enter bandwidths'};
 	}
@@ -542,8 +542,8 @@ elsif ($qossettings{'ACTION'} eq $Lang::tr{'status'} )
 	&Header::openbox('100%', 'left', 'QoS Status');
 	if ($qossettings{'ENABLED'} eq 'on'){
 		my $output = "";
-		$output = `/usr/local/bin/qosctrl status`;
-		$output = &Header::cleanhtml($output,"y");
+		my @output = &General::system_output("/usr/local/bin/qosctrl", "status");
+		$output = &Header::cleanhtml(@output[0],"y");
 		print "
$output
\n";
 	} else { print "$Lang::tr{'QoS not enabled'}"; }
 	&Header::closebox();
diff --git a/html/cgi-bin/remote.cgi b/html/cgi-bin/remote.cgi
index c76f5129e..2bb85851d 100644
--- a/html/cgi-bin/remote.cgi
+++ b/html/cgi-bin/remote.cgi
@@ -65,7 +65,7 @@ if ( (($remotesettings{'ACTION'} eq $Lang::tr{'save'}) || ($remotesettings{'ACTI
 		{
 			$errormessage = $Lang::tr{'ssh no auth'};
 		}
-		system ('/usr/bin/touch', "${General::swroot}/remote/enablessh");
+		&General::system('/usr/bin/touch', "${General::swroot}/remote/enablessh");
 	}
 	else
 	{
@@ -85,8 +85,8 @@ if ( (($remotesettings{'ACTION'} eq $Lang::tr{'save'}) || ($remotesettings{'ACTI
 if ( $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart15'} || $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart30'} ){
 	if ($remotesettings{'ENABLE_SSH'} eq 'off')
 	{
-			system ('/usr/bin/touch', "${General::swroot}/remote/enablessh");
-			system('/usr/local/bin/sshctrl');
+			&General::system('/usr/bin/touch', "${General::swroot}/remote/enablessh");
+			&General::system('/usr/local/bin/sshctrl');
 	}
   if ( $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart15'} ) { $counter = 900;}
   elsif ( $remotesettings{'ACTION'} eq $Lang::tr{'ssh tempstart30'} ) { $counter = 1800;}
@@ -254,7 +254,10 @@ sub viewkey
 
   if ( -e $key )
   {
-    my @temp = split(/ /,`/usr/bin/ssh-keygen -l -f $key`);
+    # Use safe system_output function to call ssh-keygen and get the output from the tool.
+    my @ssh_keygen = &General::system_output("/usr/bin/ssh-keygen", "-l", "-f", "$key");
+
+    my @temp = split(/ /, $ssh_keygen[0]);
     my $keysize = &Header::cleanhtml($temp[0],"y");
     my $fingerprint = &Header::cleanhtml($temp[1],"y");
     print "$key$name$fingerprint$keysize\n";
@@ -264,8 +267,7 @@ sub viewkey
 sub printactivelogins()
 {
 	# print active SSH logins (grep outpout of "who -s")
-	my $command = "who -s";
-	my @output = `$command`;
+	my @output = &General::system_output("who", "-s");
 	chomp(@output);
 
 	my $id = 0;
diff --git a/html/cgi-bin/routing.cgi b/html/cgi-bin/routing.cgi
index d2d3bdd26..e69dc425a 100644
--- a/html/cgi-bin/routing.cgi
+++ b/html/cgi-bin/routing.cgi
@@ -474,5 +474,5 @@ sub SortDataFile
 # Build the configuration file
 #
 sub BuildConfiguration {
-    system '/usr/local/bin/rebuildroutes';
+    &General::system('/usr/local/bin/rebuildroutes');
 }
diff --git a/html/cgi-bin/samba.cgi b/html/cgi-bin/samba.cgi
index 72e8ac63e..9289b4519 100644
--- a/html/cgi-bin/samba.cgi
+++ b/html/cgi-bin/samba.cgi
@@ -85,14 +85,14 @@ delete $sambasettings{'__CGI__'};delete $sambasettings{'x'};delete $sambasetting
 ############################################################################################################################
 ############################################# Samba Rootskript aufrufe fr SU-Actions #######################################
 
-if ($sambasettings{'ACTION'} eq 'smbuserdisable'){system("/usr/local/bin/sambactrl smbuserdisable $sambasettings{'NAME'}");}
-if ($sambasettings{'ACTION'} eq 'smbuserenable'){system("/usr/local/bin/sambactrl smbuserenable $sambasettings{'NAME'}");}
-if ($sambasettings{'ACTION'} eq 'smbuseradd'){system("/usr/local/bin/sambactrl smbuseradd $sambasettings{'USERNAME'} $sambasettings{'PASSWORD'}");}
-if ($sambasettings{'ACTION'} eq 'smbchangepw'){system("/usr/local/bin/sambactrl smbchangepw $sambasettings{'USERNAME'} $sambasettings{'PASSWORD'}");}
-if ($sambasettings{'ACTION'} eq 'smbrestart'){system("/usr/local/bin/sambactrl smbrestart");}
-if ($sambasettings{'ACTION'} eq 'smbstart'){system("/usr/local/bin/sambactrl smbstart");}
-if ($sambasettings{'ACTION'} eq 'smbstop'){system("/usr/local/bin/sambactrl smbstop");}
-if ($sambasettings{'ACTION'} eq 'smbreload'){system("/usr/local/bin/sambactrl smbreload");}
+if ($sambasettings{'ACTION'} eq 'smbuserdisable'){&General::system("/usr/local/bin/sambactrl", "smbuserdisable", "$sambasettings{'NAME'}");}
+if ($sambasettings{'ACTION'} eq 'smbuserenable'){&General::system("/usr/local/bin/sambactrl", "smbuserenable", "$sambasettings{'NAME'}");}
+if ($sambasettings{'ACTION'} eq 'smbuseradd'){&General::system("/usr/local/bin/sambactrl", "smbuseradd", "$sambasettings{'USERNAME'}", "$sambasettings{'PASSWORD'}");}
+if ($sambasettings{'ACTION'} eq 'smbchangepw'){&General::system("/usr/local/bin/sambactrl", "smbchangepw", "$sambasettings{'USERNAME'}", "$sambasettings{'PASSWORD'}");}
+if ($sambasettings{'ACTION'} eq 'smbrestart'){&General::system("/usr/local/bin/sambactrl", "smbrestart");}
+if ($sambasettings{'ACTION'} eq 'smbstart'){&General::system("/usr/local/bin/sambactrl", "smbstart");}
+if ($sambasettings{'ACTION'} eq 'smbstop'){&General::system("/usr/local/bin/sambactrl", "smbstop");}
+if ($sambasettings{'ACTION'} eq 'smbreload'){&General::system("/usr/local/bin/sambactrl", "smbreload");}
 if ($sambasettings{'ACTION'} eq 'join') {
 	$message .= &joindomain($sambasettings{'USERNAME'}, $sambasettings{'PASSWORD'});
 }
@@ -124,7 +124,7 @@ if ($sambasettings{'ACTION'} eq 'smbsharechange') {
 ############################################################################################################################
 ########################################### Samba Benutzer oder PC l�chen #################################################
 
-if ($sambasettings{'ACTION'} eq 'userdelete'){system("/usr/local/bin/sambactrl smbuserdelete $sambasettings{'NAME'}");}
+if ($sambasettings{'ACTION'} eq 'userdelete'){&General::system("/usr/local/bin/sambactrl", "smbuserdelete", "$sambasettings{'NAME'}");}
 
 ############################################################################################################################
 ##################################### Umsetzen der Werte von Checkboxen und Dropdowns ######################################
@@ -138,7 +138,7 @@ if ($sambasettings{'ACTION'} eq $Lang::tr{'save'}) {
 	# Write configuration to file
 	&writeconfiguration();
 
-	system("/usr/local/bin/sambactrl smbreload");
+	&General::system("/usr/local/bin/sambactrl", "smbreload");
 }
 
 &General::readhash("${General::swroot}/samba/settings", \%sambasettings);
@@ -334,11 +334,11 @@ if ($sambasettings{'ROLE'} eq 'standalone') {
 			
 END
 
-	system('/usr/local/bin/sambactrl readsmbpasswd');
+	&General::system("/usr/local/bin/sambactrl", "readsmbpasswd");
 	open(FILE, "<${General::swroot}/samba/private/smbpasswd") or die "Can't read user file: $!";
 	my @users = ;
 	close(FILE);
-	system('/usr/local/bin/sambactrl locksmbpasswd');
+	&General::system("/usr/local/bin/sambactrl", "locksmbpasswd");
 
 	my $lines = 0;
 	foreach $userentry (sort @users) {
@@ -734,8 +734,8 @@ if ( $smb eq 'shares')
 
 close FILE;
 
-system("/usr/local/bin/sambactrl smbsafeconf");
-system("/usr/local/bin/sambactrl smbreload");
+&General::system("/usr/local/bin/sambactrl", "smbsafeconf");
+&General::system("/usr/local/bin/sambactrl", "smbreload");
 }
 
 sub isrunning
@@ -844,7 +844,7 @@ printable = yes
 END
 close FILE;
 
-	system("/usr/local/bin/sambactrl smbsafeconf");
+	&General::system("/usr/local/bin/sambactrl", "smbsafeconf");
 }
 
 sub joindomain {
diff --git a/html/cgi-bin/services.cgi b/html/cgi-bin/services.cgi
index 38b89ef1e..237475735 100644
--- a/html/cgi-bin/services.cgi
+++ b/html/cgi-bin/services.cgi
@@ -2,7 +2,7 @@
 ###############################################################################
 #                                                                             #
 # IPFire.org - A linux based firewall                                         #
-# Copyright (C) 2005-2010  IPFire Team                                        #
+# Copyright (C) 2005-2021  IPFire Team                                        #
 #                                                                             #
 # This program is free software: you can redistribute it and/or modify        #
 # it under the terms of the GNU General Public License as published by        #
@@ -141,7 +141,7 @@ END
 	my $paramstr=$ENV{QUERY_STRING};
 	my @param=split(/!/, $paramstr);
 	if ($param[1] ne ''){
-		system("/usr/local/bin/addonctrl @param[0] @param[1] > /dev/null 2>&1");
+		&General::system("/usr/local/bin/addonctrl", "$param[0]", "$param[1]");
 	}
 
 	print <";
 					$col="bgcolor='$color{'color20'}'";
 				}
+
 				print "$_ ";
 				my $status = isautorun($_,$col);
 				print "$status ";
@@ -217,27 +220,54 @@ END
 	&Header::closepage();
 }
 
-sub isautorun{
-	my $cmd = $_[0];
-	my $col = $_[1];
+sub isautorun (@) {
+	my ($cmd, $col) = @_;
+
+	# Init directory.
+	my $initdir = "/etc/rc.d/rc3.d/";
+
 	my $status = "";
-	my $init = `find /etc/rc.d/rc3.d/S??${cmd} 2>/dev/null`;
-	chomp ($init);
-	if ($init ne ''){
+
+	# Check if autorun for the given cmd is enabled.
+	if ( &find_init("$cmd", "$initdir") ) {
+		# Adjust status.
 		$status = "$Lang::tr{";
-	}
-	$init = `find /etc/rc.d/rc3.d/off/S??${cmd} 2>/dev/null`;
-	chomp ($init);
-	if ($init ne ''){
+	} else {
+		# Adjust status.
 		$status = "$Lang::tr{";
 	}
 
+	# Return the status.
 	return $status;
 }
 
-sub isrunning{
-	my $cmd = $_[0];
-	my $col = $_[1];
+sub find_init (@) {
+	my ($cmd, $dir) = @_;
+
+	# Open given init directory.
+	opendir (INITDIR, "$dir") || die "Cannot opendir $dir: $!";
+
+	# Read-in init files from directory.
+	my @inits = readdir(INITDIR);
+
+	# Close directory handle.
+	closedir(INITDIR);
+
+	# Loop through the directory.
+	foreach my $init (@inits) {
+		# Check if the current processed file belongs to the given command.
+		if ($init =~ /S\d+\d+$cmd\z/) {
+			# Found, return "1" - True.
+			return "1";
+		}
+        }
+
+	# Nothing found, return nothing.
+	return;
+}
+
+sub isrunning (@) {
+	my ($cmd, $col) = @_;
 	my $status = "$Lang::tr{'stopped'}";
 	my $pid = '';
 	my $testcmd = '';
@@ -288,16 +318,17 @@ sub isrunning{
 	return $status;
 }
 
-sub isrunningaddon{
-	my $cmd = $_[0];
-	my $col = $_[1];
+sub isrunningaddon (@) {
+	my ($cmd, $col) = @_;
+
 	my $status = "$Lang::tr{'stopped'}";
 	my $pid = '';
 	my $testcmd = '';
 	my $exename;
 	my @memory;
 
-	my $testcmd = `/usr/local/bin/addonctrl $_ status 2>/dev/null`;
+	my @testcmd = &General::system_output("/usr/local/bin/addonctrl", "$cmd", "status");
+	my $testcmd = @testcmd[0];
 
 	if ( $testcmd =~ /is\ running/ && $testcmd !~ /is\ not\ running/){
 		$status = "$Lang::tr{'running'}";
diff --git a/html/cgi-bin/shutdown.cgi b/html/cgi-bin/shutdown.cgi
index 998f9f8f4..e0a2c9da0 100644
--- a/html/cgi-bin/shutdown.cgi
+++ b/html/cgi-bin/shutdown.cgi
@@ -29,11 +29,11 @@ $cgiparams{'ACTION'} = '';
 if ($cgiparams{'ACTION'} eq $Lang::tr{'shutdown'}) {
 	$death = 1;
 	&General::log($Lang::tr{'shutting down ipfire'});
-	system '/usr/local/bin/ipfirereboot down';
+	&General::system('/usr/local/bin/ipfirereboot', 'down');
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'reboot'}) {
 	$rebirth = 1;
 	&General::log($Lang::tr{'rebooting ipfire'});
-	system '/usr/local/bin/ipfirereboot boot';
+	&General::system('/usr/local/bin/ipfirereboot', 'boot');
 }
 if ($death == 0 && $rebirth == 0) {
 
diff --git a/html/cgi-bin/speed.cgi b/html/cgi-bin/speed.cgi
index 4468abd90..8acdb2bd8 100644
--- a/html/cgi-bin/speed.cgi
+++ b/html/cgi-bin/speed.cgi
@@ -36,8 +36,8 @@ foreach $field (@fields) {
 	}
 }
 
-my $interface = `cat /var/ipfire/red/iface 2>/dev/null`;
-my @data_now = `ip -s link show $interface 2>/dev/null`;
+my $interface = &General::get_red_interface();
+my @data_now = &General::system_output("ip", "-s", "link", "show", "$interface");
 
 my $lastline;
 my $rxb_now = 0;
diff --git a/html/cgi-bin/time.cgi b/html/cgi-bin/time.cgi
index 8363b9951..6bf3dcc84 100644
--- a/html/cgi-bin/time.cgi
+++ b/html/cgi-bin/time.cgi
@@ -20,6 +20,7 @@
 ###############################################################################
 
 use strict;
+use POSIX qw(strftime);
 
 # enable only the following on debugging purpose
 #use warnings;
@@ -125,8 +126,8 @@ ERROR:
 
 	if ($timesettings{'ENABLENTP'} eq 'on' && $timesettings{'VALID'} eq 'yes')
 	{
-		system ('/usr/bin/touch', "${General::swroot}/time/enable");
-		system ('/usr/local/bin/timectrl enable >/dev/null 2>&1');
+		&General::system('/usr/bin/touch', "${General::swroot}/time/enable");
+		&General::system('/usr/local/bin/timectrl', 'enable');
 		&General::log($Lang::tr{'ntp syncro enabled'});
 		unlink "/var/lock/time/counter";
 		if ($timesettings{'UPDATE_METHOD'} eq 'periodically')
@@ -138,7 +139,7 @@ ERROR:
 		}
 		if ($timesettings{'ENABLECLNTP'} eq 'on') # DPC added to 1.3.1
 		{
-			system ('/usr/bin/touch', "${General::swroot}/time/allowclients"); # DPC added to 1.3.1
+			&General::system('/usr/bin/touch', "${General::swroot}/time/allowclients"); # DPC added to 1.3.1
 			&General::log($Lang::tr{'ntpd restarted'}); # DPC added to 1.3.1
 		} else {
 			unlink "${General::swroot}/time/allowclients";
@@ -150,11 +151,11 @@ ERROR:
 		unlink "${General::swroot}/time/enable";
 		unlink "/var/lock/time/settimenow";
 		unlink "${General::swroot}/time/allowclients"; # DPC added to 1.3.1
-		system ('/usr/local/bin/timectrl disable >/dev/null 2>&1');
+		&General::system('/usr/local/bin/timectrl', 'disable');
 		&General::log($Lang::tr{'ntp syncro disabled'})
 	}
 	if (! $errormessage) {
-		system ('/usr/local/bin/timectrl restart >/dev/null 2>&1'); # DPC added to 1.3.1
+		&General::system('/usr/local/bin/timectrl', 'restart'); # DPC added to 1.3.1
 	}
 }
 
@@ -163,7 +164,7 @@ ERROR:
 $timesettings{'ACTION'} = &Header::cleanhtml ($timesettings{'ACTION'});
 if ($timesettings{'ACTION'} eq $Lang::tr{'set time now'} && $timesettings{'ENABLENTP'} eq 'on')
 {
-	system ('/usr/bin/touch', "/var/lock/time/settimenow");
+	&General::system('/usr/bin/touch', "/var/lock/time/settimenow");
 }
 
 &General::readhash("${General::swroot}/time/settings", \%timesettings);
@@ -180,11 +181,18 @@ if ($timesettings{'VALID'} eq '')
 }
 
 unless ($errormessage) {
-	$timesettings{'SETMONTH'} = `date +'%m %e %Y %H %M'|cut -c 1-2`;
-	$timesettings{'SETDAY'} = `date +'%m %e %Y %H %M'|cut -c 4-5`;
-	$timesettings{'SETYEAR'} = `date +'%m %e %Y %H %M'|cut -c 7-10`;
-	$timesettings{'SETHOUR'} = `date +'%m %e %Y %H %M'|cut -c 12-13`;
-	$timesettings{'SETMINUTES'} = `date +'%m %e %Y %H %M'|cut -c 15-16`;
+	# Get date and time.
+	my $date = strftime("%m %e %Y %H %M", localtime);
+
+	# Split date string into single values.
+	my ($month, $day, $year, $hour, $minute) = split(/ /, $date);
+
+	# Assign values to the hash.
+	$timesettings{'SETMONTH'} = $month;
+	$timesettings{'SETDAY'} = $day;
+	$timesettings{'SETYEAR'} = $year;
+	$timesettings{'SETHOUR'} = $hour;
+	$timesettings{'SETMINUTES'} = $minute;
 	$_=$timesettings{'SETDAY'};
 	$timesettings{'SETDAY'}=~ tr/ /0/;
 }
diff --git a/html/cgi-bin/tor.cgi b/html/cgi-bin/tor.cgi
index f39c0d8da..3349336ae 100644
--- a/html/cgi-bin/tor.cgi
+++ b/html/cgi-bin/tor.cgi
@@ -873,9 +873,9 @@ sub BuildConfiguration() {
 
 	# Restart the service.
 	if (($settings{'TOR_ENABLED'} eq 'on') || ($settings{'TOR_RELAY_ENABLED'} eq 'on')) {
-		system("/usr/local/bin/torctrl restart &>/dev/null");
+		&General::system("/usr/local/bin/torctrl", "restart");
 	} else {
-		system("/usr/local/bin/torctrl stop &>/dev/null");
+		&General::system("/usr/local/bin/torctrl", "stop");
 	}
 	# Update pid and memory
 	daemonstats();
diff --git a/html/cgi-bin/traffic.cgi b/html/cgi-bin/traffic.cgi
index 4846cfdf9..2f28537d0 100644
--- a/html/cgi-bin/traffic.cgi
+++ b/html/cgi-bin/traffic.cgi
@@ -87,17 +87,17 @@ sub display_vnstat
 		print"No data for $device !
";
 	} else {
 	    # Summary
-	    system("/usr/bin/vnstati -c 1 -s -i $device -o /srv/web/ipfire/html/graphs/vnstat-s-$device.png");
+	    &General::system("/usr/bin/vnstati", "-c", "1", "-s", "-i", "$device", "-o", "/srv/web/ipfire/html/graphs/vnstat-s-$device.png");
 	    # 5-minute graphs
-	    system("/usr/bin/vnstati -c 1 -5 -i $device -o /srv/web/ipfire/html/graphs/vnstat-5-$device.png");
+	    &General::system("/usr/bin/vnstati", "-c", "1", "-5", "-i", "$device", "-o", "/srv/web/ipfire/html/graphs/vnstat-5-$device.png");
 	    # Hour graph
-	    system("/usr/bin/vnstati -c 1 -h -i $device -o /srv/web/ipfire/html/graphs/vnstat-h-$device.png");
+	    &General::system("/usr/bin/vnstati", "-c", "1", "-h", "-i", "$device", "-o", "/srv/web/ipfire/html/graphs/vnstat-h-$device.png");
 	    # Day graph
-	    system("/usr/bin/vnstati -c 1 -d -i $device -o /srv/web/ipfire/html/graphs/vnstat-d-$device.png");
+	    &General::system("/usr/bin/vnstati", "-c", "1", "-d", "-i", "$device", "-o", "/srv/web/ipfire/html/graphs/vnstat-d-$device.png");
 	    # Month graph
-	    system("/usr/bin/vnstati -c 1 -m -i $device -o /srv/web/ipfire/html/graphs/vnstat-m-$device.png");
+	    &General::system("/usr/bin/vnstati", "-c", "1", "-m", "-i", "$device", "-o", "/srv/web/ipfire/html/graphs/vnstat-m-$device.png");
 	    # Top10 graph
-	    system("/usr/bin/vnstati -c 1 -t -i $device -o /srv/web/ipfire/html/graphs/vnstat-t-$device.png");
+	    &General::system("/usr/bin/vnstati", "-c", "1", "-t", "-i", "$device", "-o", "/srv/web/ipfire/html/graphs/vnstat-t-$device.png");
 
 # Generate HTML-Table with the graphs
 print </dev/null 2>&1');
+	&General::system('/usr/local/bin/squidctrl', 'restart');
 }
 
 if ($xlratorsettings{'ACTION'} eq $Lang::tr{'updxlrtr remove file'})
@@ -278,7 +278,7 @@ if ($xlratorsettings{'ACTION'} eq $Lang::tr{'updxlrtr remove file'})
 	unless ($updatefile =~ /^download\//)
 	{
 		($vendorid,$uuid,$updatefile) = split('/',$updatefile);
-		if (-e "$repository/$vendorid/$uuid/$updatefile") { system("rm -r $repository/$vendorid/$uuid"); }
+		if (-e "$repository/$vendorid/$uuid/$updatefile") { &General::system("rm", "-r", "$repository/$vendorid/$uuid"); }
 	}
 }
 
@@ -295,16 +295,16 @@ if (($xlratorsettings{'ACTION'} eq $Lang::tr{'updxlrtr cancel download'}) || ($x
 			&General::readhash("$repository/download/$vendorid/$updatefile.info", \%dlinfo);
 
 			$id = &getPID("\\s${General::swroot}/updatexlrator/bin/download\\s.*\\s".quotemeta($dlinfo{'SRCURL'})."\\s\\d\\s\\d\$");
-			if ($id) { system("/bin/kill -9 $id"); }
+			if ($id) { &General::system("/bin/kill", "-9", "$id"); }
 			$id = &getPID("\\s/usr/bin/wget\\s.*\\s".quotemeta($dlinfo{'SRCURL'})."\$");
-			if ($id) { system("/bin/kill -9 $id"); }
+			if ($id) { &General::system("/bin/kill", "-9", "$id"); }
 
-			system("rm $repository/download/$vendorid/$updatefile.info");
+			&General::system("rm", "$repository/download/$vendorid/$updatefile.info");
 		}
 
 		if (-e "$repository/download/$vendorid/$updatefile")
 		{
-			system("rm $repository/download/$vendorid/$updatefile");
+			&General::system("rm", "$repository/download/$vendorid/$updatefile");
 		}
 	}
 
@@ -1478,15 +1478,15 @@ sub savesettings
 
 	if (($xlratorsettings{'ENABLE_AUTOCHECK'} eq 'on') && ($xlratorsettings{'AUTOCHECK_SCHEDULE'} eq 'daily'))
 	{
-		system('/usr/local/bin/updxlratorctrl cron daily >/dev/null 2>&1');
+		&General::system('/usr/local/bin/updxlratorctrl', 'cron', 'daily');
 	}
 	if (($xlratorsettings{'ENABLE_AUTOCHECK'} eq 'on') && ($xlratorsettings{'AUTOCHECK_SCHEDULE'} eq 'weekly'))
 	{
-		system('/usr/local/bin/updxlratorctrl cron weekly >/dev/null 2>&1');
+		&General::system('/usr/local/bin/updxlratorctrl', 'cron', 'weekly');
 	}
 	if (($xlratorsettings{'ENABLE_AUTOCHECK'} eq 'on') && ($xlratorsettings{'AUTOCHECK_SCHEDULE'} eq 'monthly'))
 	{
-		system('/usr/local/bin/updxlratorctrl cron monthly >/dev/null 2>&1');
+		&General::system('/usr/local/bin/updxlratorctrl', 'cron', 'monthly');
 	}
 
 	# don't save those variable to the settings file,
diff --git a/html/cgi-bin/urlfilter.cgi b/html/cgi-bin/urlfilter.cgi
index 28ffc8114..3a28721a9 100644
--- a/html/cgi-bin/urlfilter.cgi
+++ b/html/cgi-bin/urlfilter.cgi
@@ -95,9 +95,9 @@ my $ldesc='';
 my $gdesc='';
 
 if (! -d $dbdir) { mkdir("$dbdir"); }
-if (! -e $tcfile) { system("touch $tcfile"); }
-if (! -e $uqfile) { system("touch $uqfile"); }
-if (! -e $sourceurlfile) { system("touch $sourceurlfile"); }
+if (! -e $tcfile) { &General::system("touch", "$tcfile"); }
+if (! -e $uqfile) { &General::system("touch", "$uqfile"); }
+if (! -e $sourceurlfile) { &General::system("touch", "$sourceurlfile"); }
 
 &General::readhash("${General::swroot}/ethernet/settings", \%netsettings);
 &General::readhash("${General::swroot}/main/settings", \%mainsettings);
@@ -226,7 +226,7 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
 
 		if (!(-d "${General::swroot}/urlfilter/update")) { mkdir("${General::swroot}/urlfilter/update"); }
 
-		my $exitcode = system("/bin/tar --no-same-owner -xzf ${General::swroot}/urlfilter/blacklists.tar.gz -C ${General::swroot}/urlfilter/update");
+		my $exitcode = &General::system("/bin/tar", "--no-same-owner", "-xzf", "${General::swroot}/urlfilter/blacklists.tar.gz", "-C", "${General::swroot}/urlfilter/update");
 
 		if ($exitcode > 0)
 		{
@@ -235,18 +235,19 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
 
 			if (-d "${General::swroot}/urlfilter/update/BL")
 			{
-				system("mv ${General::swroot}/urlfilter/update/BL ${General::swroot}/urlfilter/update/blacklists");
+				&General::system("mv", "${General::swroot}/urlfilter/update/BL", "${General::swroot}/urlfilter/update/blacklists");
 			}
 
 			if (-d "${General::swroot}/urlfilter/update/category")
 			{
-				system("mv ${General::swroot}/urlfilter/update/category ${General::swroot}/urlfilter/update/blacklists");
+				&General::system("mv", "${General::swroot}/urlfilter/update/category", "${General::swroot}/urlfilter/update/blacklists");
 			}
 
 			if (!(-d "${General::swroot}/urlfilter/update/blacklists"))
 			{
 				$errormessage = $Lang::tr{'urlfilter invalid content'};
 			} else {
+				# XXX Uses globbing
 				system("cp -r ${General::swroot}/urlfilter/update/blacklists/* $dbdir");
 
 				&readblockcategories;
@@ -255,11 +256,11 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
 				&writeconfigfile;
 
 				$updatemessage = $Lang::tr{'urlfilter upload success'};
-				system("${General::swroot}/urlfilter/bin/prebuild.pl &");
-				system("logger -t installpackage[urlfilter] \"URL filter blacklist - Blacklist update from local source completed\"");
+				&General::system_background("${General::swroot}/urlfilter/bin/prebuild.pl");
+				&General::system("logger", "-t", "installpackage[urlfilter]", "URL filter blacklist - Blacklist update from local source completed");
 			}
 		}
-		if (-d "${General::swroot}/urlfilter/update") { system("rm -rf ${General::swroot}/urlfilter/update"); }
+		if (-d "${General::swroot}/urlfilter/update") { &General::system("rm", "-rf", "${General::swroot}/urlfilter/update"); }
 		if (-e "${General::swroot}/urlfilter/blacklists.tar.gz") { unlink("${General::swroot}/urlfilter/blacklists.tar.gz"); }
 		if ($errormessage) { goto ERROR; }
 	}
@@ -267,7 +268,7 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
 	if ($filtersettings{'ACTION'} eq $Lang::tr{'urlfilter backup'})
 	{
 		$blistbackup = ($filtersettings{'ENABLE_FULLBACKUP'} eq 'on') ? "blacklists" : "blacklists/custom";
-		if (system("/bin/tar -C ${General::swroot}/urlfilter -czf ${General::swroot}/urlfilter/backup.tar.gz settings timeconst userquota autoupdate $blistbackup"))
+		if (&General::system("/bin/tar", "-C", "${General::swroot}/urlfilter", "-czf", "${General::swroot}/urlfilter/backup.tar.gz", "settings", "timeconst", "userquota", "autoupdate", "$blistbackup"))
 		{
 			$errormessage = $Lang::tr{'urlfilter backup error'};
 			goto ERROR;
@@ -306,7 +307,7 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
 			$errormessage = $!;
 		}
 
-		my $exitcode = system("/bin/tar --no-same-owner --preserve-permissions -xzf ${General::swroot}/urlfilter/backup.tar.gz -C ${General::swroot}/urlfilter/restore");
+		my $exitcode = &General::system("/bin/tar", "--no-same-owner", "--preserve-permissions", "-xzf", "${General::swroot}/urlfilter/backup.tar.gz", "-C", "${General::swroot}/urlfilter/restore");
 		if ($exitcode > 0)
 		{
 			$errormessage = $Lang::tr{'urlfilter tar error'};
@@ -315,6 +316,7 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
 			{
 				$errormessage = $Lang::tr{'urlfilter invalid restore file'};
 			} else {
+				# XXX uses globbing
 				system("cp -rp ${General::swroot}/urlfilter/restore/* ${General::swroot}/urlfilter/");
 				&readblockcategories;
 				&readcustomlists;
@@ -325,7 +327,7 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
 		}
 
 		if (-e "${General::swroot}/urlfilter/backup.tar.gz") { unlink("${General::swroot}/urlfilter/backup.tar.gz"); }
-		if (-d "${General::swroot}/urlfilter/restore") { system("rm -rf ${General::swroot}/urlfilter/restore"); }
+		if (-d "${General::swroot}/urlfilter/restore") { &General::system("rm", "-rf", "${General::swroot}/urlfilter/restore"); }
 		if ($errormessage) { goto ERROR; }
 	}
 
@@ -351,7 +353,7 @@ if (($filtersettings{'ACTION'} eq $Lang::tr{'save'}) ||
               	$filtersettings{'VALID'} = 'yes';
 		&savesettings;
 
-		system('/usr/local/bin/squidctrl restart >/dev/null 2>&1');
+		&General::system('/usr/local/bin/squidctrl', 'restart');
 	}
 }
 
@@ -485,7 +487,7 @@ if (($tcsettings{'MODE'} eq 'TIMECONSTRAINT') && ($tcsettings{'ACTION'} eq $Lang
 		$errormessage = $Lang::tr{'urlfilter web proxy service required'};
 	}
 
-	if (!$errormessage) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
+	if (!$errormessage) { &General::system('/usr/local/bin/squidctrl', 'restart'); }
 	$tcsettings{'TCMODE'}='on';
 }
 
@@ -688,7 +690,7 @@ if (($uqsettings{'MODE'} eq 'USERQUOTA') && ($uqsettings{'ACTION'} eq $Lang::tr{
 		$errormessage = $Lang::tr{'urlfilter web proxy service required'};
 	}
 
-	if (!$errormessage) { system('/usr/local/bin/squidctrl restart >/dev/null 2>&1'); }
+	if (!$errormessage) { &General::system('/usr/local/bin/squidctrl', 'restart'); }
 	$uqsettings{'UQMODE'}='on';
 }
 
@@ -772,7 +774,7 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter import blacklist'}) && ($bese
 			$errormessage = $!;
 		} else {
 
-			my $exitcode = system("/bin/tar --no-same-owner --preserve-permissions -xzf $editdir/blacklist.tar.gz -C $editdir");
+			my $exitcode = &General::system("/bin/tar", "--no-same-owner", "--preserve-permissions", "-xzf", "$editdir/blacklist.tar.gz", "-C", "$editdir");
 			if ($exitcode > 0)
 			{
 				$errormessage = $Lang::tr{'urlfilter tar error'};
@@ -819,7 +821,7 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter import blacklist'}) && ($bese
 				}
 			}
 
-		if (-d $editdir) { system("rm -rf $editdir"); }
+		if (-d $editdir) { &General::system("rm", "-rf", "$editdir"); }
 
 		}
 	}
@@ -853,7 +855,7 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter export blacklist'}) && ($bese
 		print FILE "$besettings{'BE_EXPRESSIONS'}\n";
 		close FILE;
 
-		if (system("/bin/tar -C $editdir -czf $editdir/$besettings{'BE_NAME'}.tar.gz blacklists"))
+		if (&General::system("/bin/tar", "-C", "$editdir", "-czf", "$editdir/$besettings{'BE_NAME'}.tar.gz", "blacklists"))
 		{
 			$errormessage = $Lang::tr{'urlfilter export error'};
 		}
@@ -869,7 +871,7 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter export blacklist'}) && ($bese
 			while () { print; }
 			close (FILE);
 
-			if (-d $editdir) { system("rm -rf $editdir"); }
+			if (-d $editdir) { &General::system("rm", "-rf", "$editdir"); }
 			exit;
 		}
 	} else {
@@ -933,8 +935,10 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes
 		print FILE "}\n";
 		close FILE;
 
+		# XXX uses globbing
 		system("rm -f $dbdir/$besettings{'BE_NAME'}/*.db");
-		system("/usr/bin/squidGuard -c $editdir/install.conf -C all");
+		&General::system("/usr/bin/squidGuard", "-c", "$editdir/install.conf", "-C", "all");
+		# XXX uses globbing
 		system("chmod a+w $dbdir/$besettings{'BE_NAME'}/*.db");
 
 		&readblockcategories;
@@ -942,9 +946,9 @@ if (($besettings{'ACTION'} eq $Lang::tr{'urlfilter install blacklist'}) && ($bes
 
 		&writeconfigfile;
 
-		system('/usr/local/bin/squidctrl restart >/dev/null 2>&1') unless ($besettings{'NORESTART'} eq 'on');
+		&General::system('/usr/local/bin/squidctrl', 'restart') unless ($besettings{'NORESTART'} eq 'on');
 
-		if (-d $editdir) { system("rm -rf $editdir"); }
+		if (-d $editdir) { &General::system("rm", "-rf", "$editdir"); }
 	} else {
 		$errormessage = $Lang::tr{'urlfilter category data error'};
 	}
@@ -966,17 +970,17 @@ if ($filtersettings{'ACTION'} eq $Lang::tr{'urlfilter save schedule'})
 
 		if (($filtersettings{'ENABLE_AUTOUPDATE'} eq 'on') && ($filtersettings{'UPDATE_SCHEDULE'} eq 'daily'))
 		{
-			system('/usr/local/bin/urlfilterctrl cron daily >/dev/null 2>&1');
+			&General::system('/usr/local/bin/urlfilterctrl', 'cron', 'daily');
 		}
 
 		if (($filtersettings{'ENABLE_AUTOUPDATE'} eq 'on') && ($filtersettings{'UPDATE_SCHEDULE'} eq 'weekly'))
 		{
-			system('/usr/local/bin/urlfilterctrl cron weekly >/dev/null 2>&1');
+			&General::system('/usr/local/bin/urlfilterctrl', 'cron', 'weekly');
 		}
 
 		if (($filtersettings{'ENABLE_AUTOUPDATE'} eq 'on') && ($filtersettings{'UPDATE_SCHEDULE'} eq 'monthly'))
 		{
-			system('/usr/local/bin/urlfilterctrl cron monthly >/dev/null 2>&1');
+			&General::system('/usr/local/bin/urlfilterctrl', 'cron', 'monthly');
 		}
 	}
 }
@@ -989,10 +993,10 @@ if ($filtersettings{'ACTION'} eq $Lang::tr{'urlfilter update now'})
 		{
 			$errormessage = $Lang::tr{'urlfilter custom url required'};
 		} else {
-			system("${General::swroot}/urlfilter/bin/autoupdate.pl $filtersettings{'CUSTOM_UPDATE_URL'} &");
+			&General::system_background("${General::swroot}/urlfilter/bin/autoupdate.pl", "$filtersettings{'CUSTOM_UPDATE_URL'}");
 		}
 	} else {
-		system("${General::swroot}/urlfilter/bin/autoupdate.pl $filtersettings{'UPDATE_SOURCE'} &");
+		&General::system_background("${General::swroot}/urlfilter/bin/autoupdate.pl", "$filtersettings{'UPDATE_SOURCE'}");
 	}
 }
 
@@ -2533,11 +2537,11 @@ sub savesettings
 	delete $filtersettings{'BACKGROUND'};
 	delete $filtersettings{'UPDATEFILE'};
 
-	system("chown -R nobody.nobody $dbdir");
-	system('/usr/bin/squidGuard -C custom/allowed/domains >/dev/null 2>&1');
-	system('/usr/bin/squidGuard -C custom/allowed/urls >/dev/null 2>&1');
-	system('/usr/bin/squidGuard -C custom/blocked/domains >/dev/null 2>&1');
-	system('/usr/bin/squidGuard -C custom/blocked/urls >/dev/null 2>&1 ');
+	&General::system("chown", "-R", "nobody.nobody", "$dbdir");
+	&General::system('/usr/bin/squidGuard', '-C', 'custom/allowed/domains');
+	&General::system('/usr/bin/squidGuard', '-C', 'custom/allowed/urls');
+	&General::system('/usr/bin/squidGuard', '-C', 'custom/blocked/domains');
+	&General::system('/usr/bin/squidGuard', '-C', 'custom/blocked/urls');
 	&setpermissions ($dbdir);
 
 	&General::writehash("${General::swroot}/urlfilter/settings", \%filtersettings);
@@ -2694,12 +2698,13 @@ sub setpermissions
 	foreach $category (<$bldir/*>)
 	{
         	 if (-d $category){
-			system("chmod 755 $category &> /dev/null");
+			&General::system("chmod", "755", "$category");
 			foreach $blacklist (<$category/*>)
 			{
-         			if (-f $blacklist) { system("chmod 644 $blacklist &> /dev/null"); }
-         			if (-d $blacklist) { system("chmod 755 $blacklist &> /dev/null"); }
+         			if (-f $blacklist) { &General::system("chmod", "644", "$blacklist"); }
+         			if (-d $blacklist) { &General::system("chmod", "755", "$blacklist"); }
 			}
+			# XXX uses globbing
         	 	system("chmod 666 $category/*.db &> /dev/null");
 			&setpermissions ($category);
 		}
diff --git a/html/cgi-bin/vpnmain.cgi b/html/cgi-bin/vpnmain.cgi
index 20ee6da93..79a2943d4 100644
--- a/html/cgi-bin/vpnmain.cgi
+++ b/html/cgi-bin/vpnmain.cgi
@@ -208,10 +208,12 @@ sub newcleanssldatabase {
 		close FILE;
 	}
 	if (! -s ">${General::swroot}/certs/index.txt") {
-		system ("touch ${General::swroot}/certs/index.txt");
+		open(FILE, ">${General::swroot}/certs/index.txt");
+		close(FILE);
 	}
 	if (! -s ">${General::swroot}/certs/index.txt.attr") {
-		system ("touch ${General::swroot}/certs/index.txt.attr");
+		open(FILE, ">${General::swroot}/certs/index.txt.attr");
+		close(FILE);
 	}
 	unlink ("${General::swroot}/certs/index.txt.old");
 	unlink ("${General::swroot}/certs/index.txt.attr.old");
@@ -224,9 +226,13 @@ sub newcleanssldatabase {
 ###
 sub callssl ($) {
 	my $opt = shift;
-	my $retssl = `/usr/bin/openssl $opt 2>&1`; #redirect stderr
+
+	# Split the given argument string into single pieces and assign them to an array.
+	my @opts = split(/ /, $opt);
+
+	my @retssl = &General::system_output("/usr/bin/openssl", @opts); #redirect stderr
 	my $ret = '';
-	foreach my $line (split (/\n/, $retssl)) {
+	foreach my $line (split (/\n/, @retssl)) {
 		&General::log("ipsec", "$line") if (0); # 1 for verbose logging
 		$ret .= '
'.$line if ( $line =~ /error|unknown/ );
 	}
@@ -240,13 +246,21 @@ sub callssl ($) {
 ###
 sub getCNfromcert ($) {
 	#&General::log("ipsec", "Extracting name from $_[0]...");
-	my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
-	$temp =~ /Subject:.*CN = (.*)[\n]/;
-	$temp = $1;
-	$temp =~ s+/Email+, E+;
-	$temp =~ s/ ST = / S = /;
-	$temp =~ s/,//g;
-	$temp =~ s/\'//g;
+	my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$_[0]");
+	my $temp;
+
+	foreach my $line (@temp) {
+		if ($line =~ /Subject:.*CN = (.*)[\n]/) {
+			$temp = $1;
+			$temp =~ s+/Email+, E+;
+			$temp =~ s/ ST = / S = /;
+			$temp =~ s/,//g;
+			$temp =~ s/\'//g;
+
+			last;
+		}
+	}
+
 	return $temp;
 }
 ###
@@ -254,11 +268,19 @@ sub getCNfromcert ($) {
 ###
 sub getsubjectfromcert ($) {
 	#&General::log("ipsec", "Extracting subject from $_[0]...");
-	my $temp = `/usr/bin/openssl x509 -text -in $_[0]`;
-	$temp =~ /Subject: (.*)[\n]/;
-	$temp = $1;
-	$temp =~ s+/Email+, E+;
-	$temp =~ s/ ST = / S = /;
+	my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$_[0]");
+	my $temp;
+
+	foreach my $line (@temp) {
+		if($line =~ /Subject: (.*)[\n]/) {
+			$temp = $1;
+			$temp =~ s+/Email+, E+;
+			$temp =~ s/ ST = / S = /;
+
+			last;
+		}
+	}
+
 	return $temp;
 }
 ###
@@ -568,9 +590,9 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	&General::writehash("${General::swroot}/vpn/settings", \%vpnsettings);
 	&writeipsecfiles();
 	if (&vpnenabled) {
-		system('/usr/local/bin/ipsecctrl', 'S');
+		&General::system('/usr/local/bin/ipsecctrl', 'S');
 	} else {
-		system('/usr/local/bin/ipsecctrl', 'D');
+		&General::system('/usr/local/bin/ipsecctrl', 'D');
 	}
 	sleep $sleepDelay;
 	SAVE_ERROR:
@@ -595,7 +617,7 @@ if ($cgiparams{'ACTION'} eq $Lang::tr{'save'} && $cgiparams{'TYPE'} eq '' && $cg
 	}
 	&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 	&writeipsecfiles();
-	system('/usr/local/bin/ipsecctrl', 'R');
+	&General::system('/usr/local/bin/ipsecctrl', 'R');
 	sleep $sleepDelay;
 
 ###
@@ -667,8 +689,8 @@ END
 		$errormessage = $!;
 		goto UPLOADCA_ERROR;
 	}
-	my $temp = `/usr/bin/openssl x509 -text -in $filename`;
-	if ($temp !~ /CA:TRUE/i) {
+	my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "$filename");
+	if (! grep(/CA:TRUE/, @temp)) {
 		$errormessage = $Lang::tr{'not a valid ca certificate'};
 		unlink ($filename);
 		goto UPLOADCA_ERROR;
@@ -686,7 +708,7 @@ END
 	$cahash{$key}[1] = &Header::cleanhtml(getsubjectfromcert ("${General::swroot}/ca/$cgiparams{'CA_NAME'}cert.pem"));
 	&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
 
-	system('/usr/local/bin/ipsecctrl', 'R');
+	&General::system('/usr/local/bin/ipsecctrl', 'R');
 	sleep $sleepDelay;
 
 	UPLOADCA_ERROR:
@@ -702,9 +724,9 @@ END
 		&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 		&Header::openbigbox('100%', 'left', '', '');
 		&Header::openbox('100%', 'left', "$Lang::tr{'ca certificate'}:");
-		my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
-		$output = &Header::cleanhtml($output,"y");
-		print "
$output
\n";
+		my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+		@output = &Header::cleanhtml(@output,"y");
+		print "
@output
\n";
 		&Header::closebox();
 		print "";
 		&Header::closebigbox();
@@ -724,7 +746,9 @@ END
 		print "Content-Type: application/force-download\n";
 		print "Content-Type: application/octet-stream\r\n";
 		print "Content-Disposition: attachment; filename=$cahash{$cgiparams{'KEY'}}[0]cert.pem\r\n\r\n";
-		print `/usr/bin/openssl x509 -in ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem`;
+
+		my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
+		print "@cert";
 		exit(0);
 	} else {
 		$errormessage = $Lang::tr{'invalid key'};
@@ -739,21 +763,21 @@ END
 
 	if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
 		foreach my $key (keys %confighash) {
-			my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
-			if ($test =~ /: OK/) {
+			my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+			if (grep(/: OK/, @test)) {
 				# Delete connection
 				unlink ("${General::swroot}/certs/$confighash{$key}[1]cert.pem");
 				unlink ("${General::swroot}/certs/$confighash{$key}[1].p12");
 				delete $confighash{$key};
 				&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 				&writeipsecfiles();
-				system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
+				&General::system('/usr/local/bin/ipsecctrl', 'D', $key) if (&vpnenabled);
 			}
 		}
 		unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
 		delete $cahash{$cgiparams{'KEY'}};
 		&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-		system('/usr/local/bin/ipsecctrl', 'R');
+		&General::system('/usr/local/bin/ipsecctrl', 'R');
 		sleep $sleepDelay;
 	} else {
 		$errormessage = $Lang::tr{'invalid key'};
@@ -768,8 +792,8 @@ END
 	my $assignedcerts = 0;
 	if ( -f "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem" ) {
 		foreach my $key (keys %confighash) {
-			my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem ${General::swroot}/certs/$confighash{$key}[1]cert.pem`;
-			if ($test =~ /: OK/) {
+			my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem", "${General::swroot}/certs/$confighash{$key}[1]cert.pem");
+			if (grep(/: OK/, @test)) {
 				$assignedcerts++;
 			}
 		}
@@ -805,7 +829,7 @@ END
 			unlink ("${General::swroot}/ca/$cahash{$cgiparams{'KEY'}}[0]cert.pem");
 			delete $cahash{$cgiparams{'KEY'}};
 			&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-			system('/usr/local/bin/ipsecctrl', 'R');
+			&General::system('/usr/local/bin/ipsecctrl', 'R');
 			sleep $sleepDelay;
 		}
 	} else {
@@ -817,19 +841,19 @@ END
 ###
 } elsif ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'} ||
 	$cgiparams{'ACTION'} eq $Lang::tr{'show host certificate'}) {
-	my $output;
+	my @output;
 	&Header::showhttpheaders();
 	&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 	&Header::openbigbox('100%', 'left', '', '');
 	if ($cgiparams{'ACTION'} eq $Lang::tr{'show root certificate'}) {
 		&Header::openbox('100%', 'left', "$Lang::tr{'root certificate'}:");
-		$output = `/usr/bin/openssl x509 -text -in ${General::swroot}/ca/cacert.pem`;
+		@output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/ca/cacert.pem");
 	} else {
 		&Header::openbox('100%', 'left', "$Lang::tr{'host certificate'}:");
-		$output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/hostcert.pem`;
+		@output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/hostcert.pem");
 	}
-	$output = &Header::cleanhtml($output,"y");
-	print "
$output
\n";
+	@output = &Header::cleanhtml(@output,"y");
+	print "
@output
\n";
 	&Header::closebox();
 	print "";
 	&Header::closebigbox();
@@ -843,7 +867,9 @@ END
 	if ( -f "${General::swroot}/ca/cacert.pem" ) {
 		print "Content-Type: application/force-download\n";
 		print "Content-Disposition: attachment; filename=cacert.pem\r\n\r\n";
-		print `/usr/bin/openssl x509 -in ${General::swroot}/ca/cacert.pem`;
+
+		my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/ca/cacert.pem");
+		print "@cert";
 		exit(0);
 	}
 ###
@@ -853,7 +879,9 @@ END
 	if ( -f "${General::swroot}/certs/hostcert.pem" ) {
 		print "Content-Type: application/force-download\n";
 		print "Content-Disposition: attachment; filename=hostcert.pem\r\n\r\n";
-		print `/usr/bin/openssl x509 -in ${General::swroot}/certs/hostcert.pem`;
+
+		my @cert = &General::system_output("/usr/bin/openssl", "x509", "-in", "${General::swroot}/certs/hostcert.pem");
+		print "@cert";
 		exit(0);
 	}
 ###
@@ -1216,7 +1244,7 @@ END
 
 	ROOTCERT_SUCCESS:
 	if (&vpnenabled) {
-		system('/usr/local/bin/ipsecctrl', 'S');
+		&General::system('/usr/local/bin/ipsecctrl', 'S');
 		sleep $sleepDelay;
 	}
 	ROOTCERT_SKIP:
@@ -1228,7 +1256,12 @@ END
 	print "Content-Type: application/force-download\n";
 	print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . ".p12\r\n";
 	print "Content-Type: application/octet-stream\r\n\r\n";
-	print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12`;
+
+	open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1].p12");
+	my @p12 = ;
+	close(FILE);
+	print "@file";
+
 	exit (0);
 
 # Export Apple profile to browser
@@ -1507,9 +1540,9 @@ END
 		&Header::openpage($Lang::tr{'ipsec'}, 1, '');
 		&Header::openbigbox('100%', 'left', '', '');
 		&Header::openbox('100%', 'left', "$Lang::tr{'cert'}:");
-		my $output = `/usr/bin/openssl x509 -text -in ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
-		$output = &Header::cleanhtml($output,"y");
-		print "
$output
\n";
+		my @output = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+		@output = &Header::cleanhtml(@output,"y");
+		print "
@output
\n";
 		&Header::closebox();
 		print "";
 		&Header::closebigbox();
@@ -1526,7 +1559,12 @@ END
 	if ( -f "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem") {
 		print "Content-Type: application/force-download\n";
 		print "Content-Disposition: attachment; filename=" . $confighash{$cgiparams{'KEY'}}[1] . "cert.pem\n\n";
-		print `/bin/cat ${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem`;
+
+		open(FILE, "${General::swroot}/certs/$confighash{$cgiparams{'KEY'}}[1]cert.pem");
+		my @pem = ;
+		close(FILE);
+		print "@pem";
+
 		exit (0);
 	}
 
@@ -1543,12 +1581,12 @@ END
 			$confighash{$cgiparams{'KEY'}}[0] = 'on';
 			&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 			&writeipsecfiles();
-			system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
+			&General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'}) if (&vpnenabled);
 		} else {
 			$confighash{$cgiparams{'KEY'}}[0] = 'off';
 			&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 			&writeipsecfiles();
-			system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
+			&General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 		}
 		sleep $sleepDelay;
 	} else {
@@ -1564,7 +1602,7 @@ END
 
 	if ($confighash{$cgiparams{'KEY'}}) {
 		if (&vpnenabled) {
-			system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+			&General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
 			sleep $sleepDelay;
 		}
 	} else {
@@ -1584,7 +1622,7 @@ END
 		delete $confighash{$cgiparams{'KEY'}};
 		&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 		&writeipsecfiles();
-		system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
+		&General::system('/usr/local/bin/ipsecctrl', 'D', $cgiparams{'KEY'}) if (&vpnenabled);
 	} else {
 		$errormessage = $Lang::tr{'invalid key'};
 	}
@@ -1952,8 +1990,8 @@ END
 				unshift (@names,$cahash{$x}[0]);
 			}
 			if ($casubject) { # a new one!
-				my $temp = `/usr/bin/openssl x509 -text -in /tmp/newcacert`;
-				if ($temp !~ /CA:TRUE/i) {
+				my @temp = &General::system_output("/usr/bin/openssl", "x509", "-text", "-in", "/tmp/newcacert");
+				if (! grep(/CA:TRUE/, @temp)) {
 					$errormessage = $Lang::tr{'not a valid ca certificate'};
 				} else {
 					#compute a name for it
@@ -1968,7 +2006,7 @@ END
 						$cahash{$key}[0] = $cgiparams{'CA_NAME'};
 						$cahash{$key}[1] = $casubject;
 						&General::writehasharray("${General::swroot}/vpn/caconfig", \%cahash);
-						system('/usr/local/bin/ipsecctrl', 'R');
+						&General::system('/usr/local/bin/ipsecctrl', 'R');
 					}
 				}
 			}
@@ -2008,12 +2046,12 @@ END
 		# Verify the certificate has a valid CA and move it
 		&General::log("ipsec", "Validating imported cert against our known CA...");
 		my $validca = 1; #assume ok
-		my $test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/cacert.pem $filename`;
-		if ($test !~ /: OK/) {
+		my @test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/cacert.pem", "$filename");
+		if (! grep(/: OK/, @test)) {
 			my $validca = 0;
 			foreach my $key (keys %cahash) {
-				$test = `/usr/bin/openssl verify -CAfile ${General::swroot}/ca/$cahash{$key}[0]cert.pem $filename`;
-				if ($test =~ /: OK/) {
+				@test = &General::system_output("/usr/bin/openssl", "verify", "-CAfile", "${General::swroot}/ca/$cahash{$key}[0]cert.pem", "$filename");
+				if (grep(/: OK/, @test)) {
 					$validca = 1;
 					last;
 				}
@@ -2276,7 +2314,7 @@ END
 	&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 	&writeipsecfiles();
 	if (&vpnenabled) {
-		system('/usr/local/bin/ipsecctrl', 'S', $key);
+		&General::system('/usr/local/bin/ipsecctrl', 'S', $key);
 		sleep $sleepDelay;
 	}
 	if ($cgiparams{'EDIT_ADVANCED'} eq 'on') {
@@ -2822,7 +2860,7 @@ if(($cgiparams{'ACTION'} eq $Lang::tr{'advanced'}) ||
 		&General::writehasharray("${General::swroot}/vpn/config", \%confighash);
 		&writeipsecfiles();
 		if (&vpnenabled) {
-			system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
+			&General::system('/usr/local/bin/ipsecctrl', 'S', $cgiparams{'KEY'});
 			sleep $sleepDelay;
 		}
 		goto ADVANCED_END;
@@ -3271,7 +3309,7 @@ EOF
 	&General::readhasharray("${General::swroot}/vpn/config", \%confighash);
 	$cgiparams{'CA_NAME'} = '';
 
-	my @status = `/usr/local/bin/ipsecctrl I 2>/dev/null`;
+	my @status = &General::system_output("/usr/local/bin/ipsecctrl", "I");
 
 	$checked{'ENABLED'} = $cgiparams{'ENABLED'} eq 'on' ? "checked='checked'" : '';
 
diff --git a/html/cgi-bin/wakeonlan.cgi b/html/cgi-bin/wakeonlan.cgi
index 289dc224a..164cec2de 100644
--- a/html/cgi-bin/wakeonlan.cgi
+++ b/html/cgi-bin/wakeonlan.cgi
@@ -171,7 +171,7 @@ if ( $cgiparams{'ACTION'} eq 'wakeup' )
 
   undef %cgiparams;
 
-  system("/usr/sbin/etherwake -i $iface $mac");
+  &General::system("/usr/sbin/etherwake", "-i", "$iface", "$mac");
 
   # make a box with info, 'refresh' to normal screen after 5 seconds
   if ( $refresh eq 'yes' )
diff --git a/html/cgi-bin/webaccess.cgi b/html/cgi-bin/webaccess.cgi
index 0d50f01b1..934fe6beb 100644
--- a/html/cgi-bin/webaccess.cgi
+++ b/html/cgi-bin/webaccess.cgi
@@ -86,7 +86,7 @@ if (($cgiparams{'ACTION'} eq 'submit') && ($is_supervisor))
 		((defined($proxysettings{'SUPERVISOR_PASSWORD'})) && ($proxysettings{'SUPERVISOR_PASSWORD'} eq '')))
 	{
 		&write_acl;
-		system("/usr/local/bin/squidctrl restart >/dev/null 2>&1");
+		&General::system("/usr/local/bin/squidctrl", "restart");
 	}
 }
 
diff --git a/html/cgi-bin/wireless.cgi b/html/cgi-bin/wireless.cgi
index d4592a2a4..35bdaaa60 100644
--- a/html/cgi-bin/wireless.cgi
+++ b/html/cgi-bin/wireless.cgi
@@ -133,7 +133,7 @@ ADDERROR:
 		close(FILE);
 		undef %cgiparams;
 		&General::log($Lang::tr{'wireless config added'});
-		system('/usr/local/bin/wirelessctrl');
+		&General::system('/usr/local/bin/wirelessctrl');
 	}
 ADDEXIT:
 }
@@ -157,7 +157,7 @@ if ($cgiparams{'ACTION'} eq 'edit')
 		}
 	}
 	&General::log($Lang::tr{'wireless config changed'});
-	system('/usr/local/bin/wirelessctrl');
+	&General::system('/usr/local/bin/wirelessctrl');
 }
 
 if ($cgiparams{'ACTION'} eq 'remove' || $cgiparams{'ACTION'} eq 'toggle')
@@ -178,7 +178,7 @@ if ($cgiparams{'ACTION'} eq 'remove' || $cgiparams{'ACTION'} eq 'toggle')
 	}
 	close(FILE);
 	&General::log($Lang::tr{'wireless config changed'});
-	system('/usr/local/bin/wirelessctrl');
+	&General::system('/usr/local/bin/wirelessctrl');
 }
 
 
@@ -277,7 +277,7 @@ my @curhosts = ;
 close (HOSTFILE);
 
 my $connstate = &Header::connectionstatus();
-my @arp = `/sbin/arp -n`;
+my @arp = &General::system_output("/sbin/arp", "-n");
 shift @arp;
 
 foreach my $line (@current)
diff --git a/html/cgi-bin/wirelessclient.cgi b/html/cgi-bin/wirelessclient.cgi
index a7a9881b8..7cd23aed4 100644
--- a/html/cgi-bin/wirelessclient.cgi
+++ b/html/cgi-bin/wirelessclient.cgi
@@ -796,7 +796,7 @@ END
 }
 
 sub BuildConfiguration() {
-	system("/usr/local/bin/wirelessclient restart");
+	&General::system("/usr/local/bin/wirelessclient", "restart");
 }
 
 sub NextID() {
diff --git a/html/cgi-bin/wlanap.cgi b/html/cgi-bin/wlanap.cgi
index 602d4d3c1..eba5fe774 100644
--- a/html/cgi-bin/wlanap.cgi
+++ b/html/cgi-bin/wlanap.cgi
@@ -148,16 +148,16 @@ if ( $wlanapsettings{'ACTION'} eq "$Lang::tr{'save'}" ){
 		&General::writehash("/var/ipfire/wlanap/settings", \%wlanapsettings);
 		&WriteConfig_hostapd();
 
-		system("/usr/local/bin/wlanapctrl restart >/dev/null 2>&1");
+		&General::system("/usr/local/bin/wlanapctrl", "restart");
 		pid();
 	}
 }elsif ( $wlanapsettings{'ACTION'} eq "$Lang::tr{'wlanap interface'}" ){
 	&General::writehash("/var/ipfire/wlanap/settings", \%wlanapsettings);
 }elsif ( ($wlanapsettings{'ACTION'} eq "$Lang::tr{'start'}") && ($memory == 0) ){
-	system("/usr/local/bin/wlanapctrl start >/dev/null 2>&1");
+	&General::system("/usr/local/bin/wlanapctrl", "start");
 	pid();
 }elsif ( $wlanapsettings{'ACTION'} eq "$Lang::tr{'stop'}" ){
-	system("/usr/local/bin/wlanapctrl stop >/dev/null 2>&1");
+	&General::system("/usr/local/bin/wlanapctrl", "stop");
 	$memory=0;
 }