http://qs321.pair.com?node_id=1186669


in reply to Re: Directory Structure.
in thread Directory Structure.

When doing this, keep in mind that using backticks (``) or the qx// quote-like operator, the command provided is passed through the shell (/bin/sh, whatever THAT really is) and subject to all the usual shell magic. This may be a problem if you're not expecting it, and a security issue if you're passing user input to the shell.

In order to avoid the shell, use system instead and pass a list:

#!/usr/bin/perl # ... system ("mkdir", "-p", map { "$dir/$_" } @files);

Replies are listed 'Best First'.
Re^3: Directory Structure.
by shmem (Chancellor) on Apr 01, 2017 at 10:13 UTC
    if you're passing user input to the shell

    if youre passing data from untrusted sources unlaundered into the shell (see perlsec) is both more general and to the point. If I'm the user - whom I mostly trust - there's nothing wrong with my data. Except if there is, of course.

    </nitpick>

    perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'

      If I'm the user - whom I mostly trust - there's nothing wrong with my data.

      DO you trust yourself?

      I trust myself to not try and actively exploit or sabotage my own systems. I do not trust myself to always get things right -- coding defensively and making things fail gracefully, avoiding unexpected and potentially dangerous behavior, is a good thing!

      Avoiding the shell (unless you have a good reason not to) is like useing strict. Yes, I trust myself, but I know I'm not perfect, so I'd rather have that extra safety net.

      (There's also the question of whether whoever is at the terminal, logged in as you, is ACTUALLY you, but in my case that's a lesser concern.)

        DO you trust yourself?

        Again, mostly. If I didn't, I couldn't be doing my job. Come on, if I don't trust myself, whome else could I trust?

        I do not trust myself to always get things right

        That's why I wrote Except if there is, of course.

        But that's not the point of my previous posting. It is not only user input, but unlaundered data from any source which cannot be trusted.

        perl -le'print map{pack c,($-++?1:13)+ord}split//,ESEL'