|go ahead... be a heretic|
Re^9: RFC: Perl-Critic policy: ProhibitInlineSystemArgsby BrowserUk (Pope)
|on Jul 03, 2006 at 21:49 UTC||Need Help??|
I guess you picked up the conversation half way through and responded, but to clarify, my points are:
Even if a program is accepting input from untrusted sources, say via the web, then if you follow good practice for such programs--use -T; untaint by inclusion not exclusion; etc.--then there is still no good reason to reinvent all the wheels that shells provide in order to avoid using the shell.
The chances are that 99 attempts out of 100, that when your average Joe Programmer tries to recreate the facilities of a system shell, that they are going to make many of the mistakes and security foopars that have long since been found and fixed in your system shell.
The only good reason for avoiding calling the system shell, is efficiency. If you do not need the shell's facilities--any of the shell's facilities, including searching paths and other well-known environment variables to locate the appropriate executable--then there is no point in invoking the shell and have it invoke the program that you really want to run.
All other justifications for SAS were ill-conceived to begin with, hyped against reason, and are perpetuated without thought.
Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.