Re: Can't execute system() when called from servlet

Any ideas?

You didn't follow the rabbit trail of system documentation

You're calling the shell, and which shell depends on your perl configuration (its a variable)

$ perl -V:sh
sh='cmd /x /c';
[download]

Your goal should be to avoid the shell most of the time

Comment on Re: Can't execute system() when called from servlet Download Code

Replies are listed 'Best First'.
Re^2: Can't execute system() when called from servlet by Anonymous Monk on May 28, 2014 at 22:13 UTC
This is a good point - unless you know that you need it, you should always avoid headaches and avoid the shell! Modules such as IPC::Run3 and IPC::System::Simple have an API that allows you to avoid calling the shell, make sure to read their docs. Anyway, here's the relevant bits of doc from system and exec: Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is /bin/sh -c on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to execvp, which is more efficient. Using an indirect object with exec or system is also more secure. This usage (which also works fine with system()) forces interpretation of the arguments as a multivalued list, even if the list had just one argument. That way you're safe from the shell expanding wildcards or splitting up words with whitespace in them. `@args = ( "echo surprise" ); exec @args; # subject to shell escapes if @args == 1 exec { $args[0] } @args; # safe even with one-arg list` [download] The first version, the one without the indirect object, ran the echo program, passing it "surprise" an argument. The second version didn't; it tried to run a program named "echo surprise", didn't find it, and set $? to a non-zero value indicating failure.	[reply] [d/l]

Replies are listed 'Best First'.

Re^2: Can't execute system() when called from servlet
by Anonymous Monk on May 28, 2014 at 22:13 UTC

This is a good point - unless you know that you need it, you should always avoid headaches and avoid the shell! Modules such as IPC::Run3 and IPC::System::Simple have an API that allows you to avoid calling the shell, make sure to read their docs. Anyway, here's the relevant bits of doc from system and exec:

Note that argument processing varies depending on the number of arguments. If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is /bin/sh -c on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to execvp, which is more efficient.

Using an indirect object with exec or system is also more secure. This usage (which also works fine with system()) forces interpretation of the arguments as a multivalued list, even if the list had just one argument. That way you're safe from the shell expanding wildcards or splitting up words with whitespace in them.

@args = ( "echo surprise" );
exec @args; # subject to shell escapes if @args == 1
exec { $args[0] } @args; # safe even with one-arg list
[download]

The first version, the one without the indirect object, ran the echo program, passing it "surprise" an argument. The second version didn't; it tried to run a program named "echo surprise", didn't find it, and set $? to a non-zero value indicating failure.

[reply]
[d/l]