in reply to Re^5: Getting information about a remote file via SSH: how to escape the filename
in thread Getting information about a remote file via SSH: how to escape the filename
Suggestions on how to stay safe are very welcome
Avoid the shell as much as you can (i.e. using system $cmd, @args instead of system "$cms @args").
Otherwise, quote your data properly. For instance, for POSIX shells I use the following sub to quote commands and arguments:
my $glob_class = '*?\\[\\],{}:!^~'; sub quote { shift; my $quoted = join '', map { ( m|\A'\z| ? "\\'" : m|\A'| ? "\"$_\"" : m|\A[$noquote_class]+\z|o ? $_ : "'$_'" ) } split /('+)/, $_[0]; length $quoted ? $quoted : "''"; }
|
---|
In Section
Seekers of Perl Wisdom