mce has asked for the wisdom of the Perl Monks concerning the following question:
Hi All,
ls: file; ls: No such file or directory
ls: file: No such file or directory
file
file
file
file
When using the system command, if 'qoutes' the arguments, which is more safe in CGI. But how do I do this in qx or <backtick>? I can use quotemeta, but isn't there a better solution?
I might be totally wrong about this issue, but here if goes.
It is a security issue when using shell escapes (in CGI).
I have a program like
This generates this outputmy $cmd="ls"; my $arg1=" file; ls"; my $arg2=" file"; system($cmd,$arg1,$arg2); warn qx/$cmd $arg1 $arg2/; warn `$cmd $arg1 $arg2`;
ls: file; ls: No such file or directory
ls: file: No such file or directory
file
file
file
file
When using the system command, if 'qoutes' the arguments, which is more safe in CGI. But how do I do this in qx or <backtick>? I can use quotemeta, but isn't there a better solution?
What I want to achieve, is to capture the output of a command, which system will not allow.
Any suggestions?
---------------------------
Dr. Mark Ceulemans
Senior Consultant
BMC, Belgium