Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re: Running System Commans With ""

by jkahn (Friar)
on Sep 11, 2002 at 19:42 UTC ( #197058=note: print w/ replies, xml ) Need Help??


in reply to Running System Commands With ""

As ferrency suggested in the crisis he describes in "Don't try this at home", composing all the bits of a system command into one line is dangerous, because one of those variables might contain a malicious command.

Instead, consider using the system LIST syntax, e.g.:

# # add double-quote characters to either end of realname # # $realname = '"' . $realname . '"'; # commented out above line after fruiture pointed out that # system LIST format makes it unnecessary -- and even # wrong, since realname would then be stored with '"' # on either side! # run system command, but pass args directly to the # adduser program, rather than booting a shell if (!system("adduser", $username, '-g', '100', '-s', '/bin/false', '-d', "/home/$username", '-p', $encrypted_pass, '-e' $expiry_date, '-c' $realname ) ) { die "trouble adding user: returned non-zero\n"; }

This will:

  1. Solve your problem with quotes, since you've added them $realname is passed as a single argument.
  2. Protect you from malicious examples like ferrency pointed out before.

See perldoc -f system.

update: fruiture pointed out that quotes were not needed in system LIST syntax.


Comment on Re: Running System Commans With ""
Select or Download Code
Re: Re: Running System Commans With ""
by samurai (Monk) on Sep 11, 2002 at 20:20 UTC
    The list argument form of system is also FASTER than the scalar form, isnt' it? I believe I read somewhere that the scalar form invokes another shell and hands off the processing to it, whereas the list form is more... er, direct? Faster and more secure. Mmmmmmm...

    I can't explain how but I know I read it somewhere. Could someone elaborate for me about what the list form actually does?

    --
    perl: code of the samurai

      Yes, it's faster because there's no need for an intermediate sh process to get loaded, parse the arguments, redirect input and output where they should be sent to, and pass the arguments to the program invoked.

      If you do want shell-style redirection, though, you'll have to use a system EXPR syntax. It's not all bad; a number of Perl Cookbook recipes use it for good reason (mostly for shell redirection).

        Yes, it's faster because there's no need for an intermediate sh process to get loaded, parse the arguments, redirect input and output where they should be sent to, and pass the arguments to the program invoked.
        No, if there are no shell metachars, Perl does the splitting itself, so there's no sh process involved.

        Convince yourself of this by executing an appropriate ps command during each of

        system "sleep 5"; system "sleep 5;"; # notice the semicolon
        Other arguments in favor of "avoid the sh at all costs" in this thread are still valid. Just wanted to point out that the single-arg system does not always call sh. It just might.

        -- Randal L. Schwartz, Perl hacker

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://197058]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others lurking in the Monastery: (9)
As of 2014-07-25 07:04 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    My favorite superfluous repetitious redundant duplicative phrase is:









    Results (169 votes), past polls