Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??
Why? Please explain your reasoning?

Are you asking why to avoid passing arguments in the single-arg form of system or exec? It can be dangerous if passed unclean user input. There is a particularly relevant paragraph in the exec documentation (emphasis mine):

If there is more than one argument in LIST, or if LIST is an array with more than one value, calls execvp(3) with the arguments in LIST. If there is only one scalar argument or an array with one element in it, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is /bin/sh -c on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to execvp, which is more efficient.

Notice that in the case of a single argument with meta-characters, the system shell is called. The system shell will then interpret those metacharacters in the standard way, which can cause dangerous side effects. Consider a malicious user that passes "> $0" as part of the input. If this were executed in a unix shell with enough permissions, it could cause some major damage.

Of course it's always wise to validate user input, but the safest course of action is to not use the user input in a way that would be dangerous in the first place. In this case, the list forms of system and exec prevent the danger, because the shell is never invoked.

Note: I apologize in advance if I'm not answering the question you asked, but perhaps someone else will find the information useful if that is the case.

Update: apparently my efforts to avoid offending the ever-sensitive BrowserUk were in vain. I shall make a note to not even try in the future.


In reply to Re^2: RFC: Perl-Critic policy: ProhibitInlineSystemArgs by revdiablo
in thread RFC: Perl-Critic policy: ProhibitInlineSystemArgs by davidrw

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others chilling in the Monastery: (6)
    As of 2020-11-30 12:43 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found

      Notices?