in reply to Question about input pipes and sub-shells

Yes, you should be careful about what can be called... taint mode wouldn't be a bad idea... I am not sure, but I think using \Q \E around $pattern would pretty much prevent any quotes, semi colons pipes or the like from subverting your script but putting a \ in front of non-word chars... like so... 
unless (open(PIPE, "search \Q$pattern\E |")) {

[download]
this also removes the need for the quotes around $pattern since spaces will be escaped.

                - Ant
                - Some of my best work - (1 2 3)

Replies are listed 'Best First'.
Re: Re: Question about input pipes and sub-shells
by Joey The Saint (Novice) on Nov 14, 2001 at 20:33 UTC

    Thanks for the advice. I'd planned to use taint mode too, but my experience with taint-perl so far is that the biggest gains are from ensuring that you cannot pass along values that haven't been properly checked. My problem, though, is that I'm really not able to do much validation since I want to be able to pass through almost any valid POSIX regular expression to the 'search' command.

    Just so I'm clear, won't using \Q and \E mangle the contents of $pattern in such a way that if it contained:

    (tcp|udp)RxPacket

    as an example, the 'search' command would see:

    \(tcp\|udp\)RxPacket

    Which would cause it to treat it as a regular expression with no special characters in it, ie, it would be looking for a string "(tcp|udp)RxPacket" rather than "tcpRxPacket" or "udpRxPacket".

    -J.
[reply]
[d/l]
[select]
      No, the escapes are for the shell, and it handles them. Your script gets what you want.

      of course, you could always use fork and exec, that would end your shell issues... but make the code more difficult.

                      - Ant
                      - Some of my best work - (1 2 3)

[reply]

In Section Seekers of Perl Wisdom