|XP is just a number|
Re: Safely capturing the output of an external programby LanX (Sage)
|on Mar 09, 2020 at 00:00 UTC ( #11113991=note: print w/replies, xml )||Need Help??|
Nevermind I misread your question as already having the path. Sorry.
Maybe have a look at IPC::Open3 and IPC::Run
The latter is explicitly talking about avoiding the shell and both offer passing arguments explicitly.
I'm not aware of safe placeholder invocations, and the variety of possible CLI arguments is huge.
But you could consider to examine and untaint your file argument.
-e $file should tell you if it exists (hence not work with evil injections) and examining the path should tell you if it's inside an allowed location.
In Section Seekers of Perl Wisdom