[Pdx-pm] sanity check: how to use system()

Eric Wilhelm ewilhelm at sbcglobal.net
Mon Feb 28 22:52:11 PST 2005


# The following was supposedly scribed by
# Austin Schutz
# on Tuesday 01 March 2005 12:16 am:

>Often in modules it's easier to just pass it to the shell and let
>it sort it out rather than assuming that your users will think to use
> it the other way. 

That works until you have a filename with a space in it.  Sure, you can 
quote it and escape it, but why?  And in the context of backup systems, 
you are going to be reading from config files and dealing with users 
that don't know perl, etc.

>        Most of us probably run code in places where we aren't so
> concerned with the local users being malicious.

This isn't about maliciousness so much as code leaving corner-cases 
completely unconsidered.  Even if you're just making a wrapper for 
another command, you should call exec() with a list context just in 
case your wife is a writer.

  command_wrapper "./-rf my wife's funny file name(s)"

--Eric
-- 
"Cleanliness is next to impossible." 
                                                  -- Unknown
---------------------------------------------
    http://scratchcomputing.com
---------------------------------------------


More information about the Pdx-pm-list mailing list