[Pdx-pm] sanity check: how to use system()

Austin Schutz tex at off.org
Mon Feb 28 22:56:07 PST 2005


On Tue, Mar 01, 2005 at 12:52:11AM -0600, Eric Wilhelm wrote:
> # The following was supposedly scribed by
> # Austin Schutz
> # on Tuesday 01 March 2005 12:16 am:
> 
> >Often in modules it's easier to just pass it to the shell and let
> >it sort it out rather than assuming that your users will think to use
> > it the other way. 
> 
> That works until you have a filename with a space in it.  Sure, you can 
> quote it and escape it, but why?  And in the context of backup systems, 
> you are going to be reading from config files and dealing with users 
> that don't know perl, etc.


	Yes, in the context of backup systems it doesn't make sense. 
`find . | cpio -i` works pretty well too - until you hit a filename with a
newline.

> 
> >        Most of us probably run code in places where we aren't so
> > concerned with the local users being malicious.
> 
> This isn't about maliciousness so much as code leaving corner-cases 
> completely unconsidered.  Even if you're just making a wrapper for 
> another command, you should call exec() with a list context just in 
> case your wife is a writer.
> 

	I have my office boobytrapped with computer parts. She's smart
enough to stay out and use her own computer. :-)

	Austin


More information about the Pdx-pm-list mailing list