For running an external program, I usually grab Capture::Tiny. The only times I have issues with Capture::Tiny is when using threads and that's due to Capture::Tiny not being thread safe.

Right, so this can be used to wrap a call to system to capture the output, and system can be entirely de-shelled, as it were. That might work. Thank you!

the arguments that need to be passed come from user-supplied data, and while the program being called itself should be safe to invoke, there's the issue of the shell and its shenanigans ... system and exec have "safe" invocations ... Does qx//?

No, not in the core*. I wrote about exactly this issue here: In this case, I might recommend IPC::System::Simple's capturex as a safer drop-in replacement for qx//, or IPC::Run3 if you want to capture STDERR as well.

* Update: Ok, well, not quite right, there are piped opens with more than one argument, but those require one to be careful to get right, and didn't work on Windows for quite some time. The modules just make this much easier.

Not being in the core is fine. And this, from IPC::System::Simple's documentation,

Better still, you can even use capturex() to run the equivalent of backticks, but without the shell:

is exactly what I wanted to read. Thanks!

I'd like to offer another alternative, my IPC::System::Options which exports readpipe() and lets you use the standard backtick operator but with the option of not having to use shell.

update

Nevermind I misread your question as already having the path. Sorry.

update

Maybe have a look at IPC::Open3 and IPC::Run

The latter is explicitly talking about avoiding the shell and both offer passing arguments explicitly.

Untested!

Hi

I'm not aware of safe placeholder invocations, and the variety of possible CLI arguments is huge.

But you could consider to examine and untaint your file argument.

-e $file should tell you if it exists (hence not work with evil injections) and examining the path should tell you if it's inside an allowed location.

Untainting might work though; if the filename matches, say, q/^[A-Za-z0-9]+\.tfm$/, it's probably safe to pass it through any shell. But I've never liked that approach, and "probably" is a dangerous word.

> Untainting might work though;

In this case I'd additionally surround arguments with 'singlequotes' .

Your untainting demo is explicitly forbidding quotes, in other cases escape them.

Cheers Rolf
_{(addicted to the Perl Programming Language :)
Wikisyntax for the Monastery}

What are the command line commands you're sending?

For searching for files if that's all you're doing, I like File::Find::Rule.

The command would be something like kpsewhich cmr10.tfm. I'd prefer to use kpsewhich, the kpathsea library it wraps, or whatever other standard methods may exist in TeX for finding files, so as to ensure my script'll find the same files that TeX does; but if all else fails I'll try File::Find::Rule, thanks.