|Keep It Simple, Stupid|
Re^3: Insecure dependency in piped openby sgifford (Prior)
|on Jun 29, 2008 at 19:37 UTC||Need Help??|
Actually those two are subtly different. One of them has a single string, and Perl will hand that string to the shell to parse. If $host contains any special shell characters, the shell will interpret them; for example if $host was set to:
the shell will see something like:
and will go ahead and try to remove your script, if it has permission. That is why Perl won't let you do it with taint mode on.
The multi-argument piped open doesn't send anything to the shell, and so avoids this problem.
There is also a difference in where standard error goes. In the first example it will be read from the pipe; in the second it will go to the original program's standard error, perhaps to a Web server error log.
Finally, for this particular purpose, there is probably a module available on CPAN (like Net::DNS) that will do the work without using an external program at all.