Beefy Boxes and Bandwidth Generously Provided by pair Networks
Come for the quick hacks, stay for the epiphanies.
 
PerlMonks  

Re: Asynchronous Program Spawning

by ikegami (Patriarch)
on Feb 12, 2006 at 09:16 UTC ( [id://529634]=note: print w/replies, xml ) Need Help??


in reply to Asynchronous Program Spawning

All of the following will do the trick:

  • IPC::Run
  • IPC::Open3 (Core module written to address this issue.)
  • IPC::Open2 (Core module written to address this issue.)
  • fork+exec (Inefficient in Windows)
  • system 1, ... (Only on Windows)
  • system "start ..." (Only on Windows. Has security issues from loading shell)
  • system "... &" (Only on unix. Has security issues from loading shell)

Replies are listed 'Best First'.
Re^2: Asynchronous Program Spawning
by BrowserUk (Patriarch) on Feb 12, 2006 at 10:47 UTC
    Has security issues from loading shell

    Could you explain, or provide a pointer to discussion of the security issues?

    Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
    Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
    "Science is about questioning the status quo. Questioning authority".
    In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
[d/l]

      Due care must be spent on sanitizing and escaping the arguments if they are not hard coded. 

      $file_name = 'file name';
system("program $file_name &");  # Oops!

      [download]

      Without due care, the code may not work, or worse, it could be vulnerable to injection attacks.

[reply]
[d/l]

        If you do that as 

        system qq[program "$filename" &];

        [download]

        It won't matter if the filename contains spaces or not. That's a simple programming problem and hardly worthy of description as "security issue".

        As for "injection attacks", I assume that you mean if the source of all or part of the command supplied to the system command is an untrusted external source, then care must be taken. I fail too see how the start command is any more or less of a security risk to invoking an untrusted command directly?

        If you get data from untrusted sources, don't you have to be just as careful invoking that data as a command directly as you do invoking it indirectly via a command shell?

        Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
        Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
        "Science is about questioning the status quo. Questioning authority".
        In the absence of evidence, opinion is indistinguishable from prejudice.
[reply]
[d/l]
          A reply falls below the community's threshold of quality. You may see it by logging in.
Re^2: Asynchronous Program Spawning
by redhotpenguin (Deacon) on Feb 12, 2006 at 23:34 UTC
[reply]

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://529634]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others surveying the Monastery: (8)
As of 2024-04-19 12:27 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found