[Pdx-pm] sanity check: how to use system()
Austin Schutz
tex at off.org
Mon Feb 28 22:56:07 PST 2005
On Tue, Mar 01, 2005 at 12:52:11AM -0600, Eric Wilhelm wrote:
> # The following was supposedly scribed by
> # Austin Schutz
> # on Tuesday 01 March 2005 12:16 am:
>
> >Often in modules it's easier to just pass it to the shell and let
> >it sort it out rather than assuming that your users will think to use
> > it the other way.
>
> That works until you have a filename with a space in it. Sure, you can
> quote it and escape it, but why? And in the context of backup systems,
> you are going to be reading from config files and dealing with users
> that don't know perl, etc.
Yes, in the context of backup systems it doesn't make sense.
`find . | cpio -i` works pretty well too - until you hit a filename with a
newline.
>
> > Most of us probably run code in places where we aren't so
> > concerned with the local users being malicious.
>
> This isn't about maliciousness so much as code leaving corner-cases
> completely unconsidered. Even if you're just making a wrapper for
> another command, you should call exec() with a list context just in
> case your wife is a writer.
>
I have my office boobytrapped with computer parts. She's smart
enough to stay out and use her own computer. :-)
Austin
More information about the Pdx-pm-list
mailing list