SPUG: getting error message while substitution

Jacinta Richardson jarich at perltraining.com.au
Sun Apr 2 20:06:19 PDT 2006 


Sachin Chaturvedi wrote:
> i am having a file in which i have statement
> 
> $ret_val = system("perl $ENV{SOURCE_ROOT}/scripts/Test_script.pl");

Depending on the permissions of this program you may need to double check that
$ENV{SOURCE_ROOT} contains a safe value.  In fact, I'd recommend that you turn
taint mode on for your program regardless:

#!/usr/bin/perl -T

A safer way to do the above is to use the multiple argument version of system:

$ret_val = system("perl", "$ENV{SOURCE_ROOT}/scripts/Test_script.pl");

This version passes the second (and subsequent) arguments as arguments to the
first (assumed to be the command).  These arguments do not go past the shell,
and thus cannot be used to cause shell attackes.

Thus even if $ENV{SOURCE_ROOT} is set to:

	1; rm -rf /;

no damage will occur because what will happen is the command will be constructed as:

	perl "1; rm -rf /;/scripts/Test_script.pl"

and the file called "1; rm -rf /;/scripts/Test_script.pl" probably doesn't exist.

> and i want to make a substitution in which i want to remove occurence of perl
> from this line. i tried this by using file handle for that file and doing
> following substitution
> 
> $line =~ s|\perl \$ENV{SOURCE_ROOT}/scripts/Test_script.pl|\$ENV{SOURC 
> _ROOT}/scripts/Test_script|si;

I suspect your error is caused by your \p.  You'll probably also want to escape
your . in Test_script.pl. Either way, your substitute might be better written
with {}s at your delimiters as they allow line breaking more nicely:

$line =~ s{perl \$ENV{SOURCE_ROOT}/scripts/Test_script\.pl}
          {\$ENV{SOURCE_ROOT}/scripts/Test_script}si;

You could also use [] or () if you thought they looked better.  Depending on
your actual plans for the result of this substitute, there might be a better way
of doing this altogether.

All the best,

	Jacinta

-- 
   ("`-''-/").___..--''"`-._          |  Jacinta Richardson         |
    `6_ 6  )   `-.  (     ).`-.__.`)  |  Perl Training Australia    |
    (_Y_.)'  ._   )  `._ `. ``-..-'   |      +61 3 9354 6001        |
  _..`--'_..-_/  /--'_.' ,'           | contact at perltraining.com.au |
 (il),-''  (li),'  ((!.-'             |   www.perltraining.com.au   |

More information about the spug-list mailing list