[vox-tech] quoting question in perl
Henry House
vox-tech@lists.lugod.org
Sat, 22 Dec 2001 10:44:51 -0800
--Nq2Wo0NMKNjxTN9z
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable
On Sat, Dec 22, 2001 at 01:53:47AM -0800, Harry Souders wrote:
> system("rm -- $filename");
I did not explain this fully in my last post, but I strongly recommend alwa=
ys
passing system() a list of string rather than a single string argument. If
there is one string arg (e.g., "rm foo"), perl emulates system(3), which
means that the string is interpreted by /bin/sh. I imagine I do not need to
explain to this group why that is a bad idea when dealing with arbitrary
strings.
It is much better to use system('command', 'arg1', 'arg2', ... 'arg n'). In
this case, the program named by the first argument is called (via fork(2) a=
nd
execvp(3)) directly by perl, without a shell. The potetial security problem
is thereby eliminated.
As Harry pointed out, rm(1) chokes on filenames that begin with a hyphen. A=
ll=20
cases I can think of should be covered by system('/bin/rm', '--', $filename=
).
--=20
Henry House
The attached file is a digital signature. See <http://romana.hajhouse.org/p=
gp>
for information. My OpenPGP key: <http://romana.hajhouse.org/hajhouse.asc>.
--Nq2Wo0NMKNjxTN9z
Content-Type: application/pgp-signature
Content-Disposition: inline
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.0.6 (GNU/Linux)
Comment: For info see http://www.gnupg.org
iD8DBQE8JNSjKK1cAVjXujwRAl2QAKCE5/OuGPRS3DzfCajyBAV3vjKMwACfSVYm
ny7pvkhKN2bpdXlqmknnvus=
=duFY
-----END PGP SIGNATURE-----
--Nq2Wo0NMKNjxTN9z--