develooper Front page | perl.perl5.porters | Postings from June 2008

Re: [perl #50146] File::Temp and unsafe shell characters

From:
Ed Avis
Date:
June 2, 2008 06:28
Subject:
Re: [perl #50146] File::Temp and unsafe shell characters
Message ID:
loom.20080602T131918-924@post.gmane.org
Ed Avis <eda <at> waniasset.com> writes:

>(BTW, is there a good alternative to this?  I mean a convenient syntax
>for setting up shell pipelines and redirection but without relying on
>string interpolation.)

I was thinking of an interface that lets you say things like

    run [ 'ls', '-l', $filename ], '|', [ 'wc', '-l' ]

as a safe alternative to

    system "ls -l $filename | wc -l"

which, as everyone here knows, requires tedious sanity-checking of $filename to
avoid unexpected behaviour or security holes caused by shell metacharacters. 
Multi-argument system() is safe but doesn't support piping and redirection.  So
is there something that gives both convenience and safety?

It turns out that just such a module exists: IPC::Run.

IPC::Cmd (built on IPC::Run) and IPC::System::Simple also provide a safe and
convenient way to run external commands, capture output if wanted, and get error
checking without the crazy $? & 127 stuff.  So I don't think there is much
reason to use builtin system() any more.

-- 
Ed Avis <eda@waniasset.com>





nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About