http://qs321.pair.com?node_id=1041013


in reply to Getting information about a remote file via SSH: how to escape the filename

$ssh->cmd(qq[ls -l $remotefile]); # Then parse the info I want from $stdout with an easy regex

But I can't rule out the possibility that the remote filename might contain shell metacharacters.

This should do it: $ssh->cmd(qq[ls -l "$remotefile"]);

Cheers, Sören

(hooked on the Perl Programming language)

Replies are listed 'Best First'.
Re^2: Getting information about a remote file via SSH: how to escape the filename
by salva (Canon) on Jun 27, 2013 at 13:54 UTC
    $remotefile=qq[foo"; rm -Rf /; echo "bar]

      In my particular situation, actively malicious filenames are very unlikely to occur (and if they do, it implies that I have much bigger problems than this program can possibly address or even meaningfully exacerbate).

      However, I still don't want the thing to fail to work correctly if a filename happens for some reason to contain quotation marks.

      $remotefile=qq[foo"; rm -Rf /; echo "bar]

      You'd better untaint your variables, Monk!

      Cheers, Sören

      (hooked on the Perl Programming language)

        How can you discern a valid filename from a malicious one in a generic way?