in reply to system, pipes, shell, quoting

I need to handle the possibility that the variables contain arbitrary weird characters ... Is there a standard way to deal with this, while keeping the convenience of the above line of code?

Yes. Untaint your data. Filter the variables through whatever regexes guarantee that the variables contain only "safe" strings. Don't invoke system() if any string doesn't pass. That's the easiest, safest way to be bulletproof, and it's the standard way, too.

Replies are listed 'Best First'.
Re: Re: system, pipes, shell, quoting
by superpete (Beadle) on Nov 13, 2002 at 06:10 UTC
    you seem to have lots of experience :-)

    Do you have any specific implementation examples of how to quote arbitrary characters to the shell in a system or open ?

[reply]
      Do you have any specific implementation examples of how to quote arbitrary characters to the shell in a system or open ?

      I avoid situations where arbitrary characters have to be quoted. In the rare case where I have a CGI form that accepts something like a filename, I'll reject the name if it contains any funny characters. Trying to escape funny characters is a losing battle.

      I also keep my filenames simple (using only alphanumerics, underscores, dashes, and periods).

[reply]
        Alas, I do not have the luxury of making up my own filenames.

        I am working on a "utility" type program executed from crontab rather than as a CGI, and my filenames come from walking a directory tree. The files might be generated by anything, and I want to cover all the bases.

        Trying to escape funny characters is a losing battle.

        Well... sort-of. Not a problem when doing straight open's, or simple system's (systen with a list of arguments avoids the shell).

        When launching a "pipeline" of several external programs, the shell provides tremendous convenience... see original post.

[reply]
[reply]
Re: Re: system, pipes, shell, quoting
by tigervamp (Friar) on Nov 13, 2002 at 20:00 UTC
    Maybe I am missing something, but it seems like you just want to be able to pass arguments to your programs without having the shell interpret any special characters. Most good shells don't interpret anything in single quotes, so what you might want to do something like this: 
    ...
my $argument = something;
my $argument2 = somthing else;
$argument = "'".$argument."'"; #surround in quotes
$argument2 = "'".$argument2."'"; #surround in quotes
$exec_string = "$program $argument $argument2";
system("$exec_string");
...

    [download]
    This way, all of your arguments are passed to the shell within single quotes, nothing is escaped or interpreted in any special way, and each arguement will be a single word even if there are spaces in the argument. Of course, you have to be using a shell that works this way or similiar, and if there is a possibility that the $argument will contain single quotes, you have to account for that with something like this: 
    ...
$argument=~s/'/'"'"'/g;
...

    [download]
    before further processing. This all works for the bash shell and should me easily modifiable for most others.
[reply]
[d/l]
[select]

In Section Seekers of Perl Wisdom