File this under a "Lessons Learned" catagory:

Apple recenetly released a new version of iTunes, a program for Mac users to make their own music, to the world last weekend (11/2). However, those that rushed to install this update found that not only did the update not work, but it completely wiped out their hard drives. Apple quickly pulled this version, and rereleased a new version that behaved as expected.

The problem? According to posts on the Slashdot report, it had to do with the Unix underpinings of Mac OS X. Specifically, the installed ran a unix batch file which contained the following: 

#!/bin/sh 
# if current iTunes pkg exists, delete it b/c of Installer bug
if [ -e $1Library/Receipts/iTunes.pkg ] ; then
rm -rf $1Library/Receipts/iTunes.pkg 2> /dev/null
fi 

# if iTunes application currently exists, delete it
if [ -e $2Applications/iTunes.app ] ; then
rm -rf $2Applications/iTunes.app 2> /dev/null
fi

[download]
The values of $1 and $2 were filled in with path information based the OS finding the location of the previous version of iTunes. Certainly nothing terribly wrong with this, but remember that on Macs, it's very common to name folders with spaced embedded in them. If either $1 or $2 had a space, the script would execute normally but could easily delete much of the system.

The solution was easy: simply quote the file names to check existance and deletion on.

Relating this to perl, whenever you do system/exec commands in which you are specifying file names that might come from an tainted source, or even if they aren't untained, it's typically always a good idea to quote the filename to prevent any special characters from getting in the way. For example: 

$file = "testdir /";       #oops, typo!
system( "rm -rf $file" );    #double oops
system( "rm -rf '$file'" );  #will probably get an error
                             # from the command, but your
                             # root dir is still there.

[download]
And it's nearly always better to use any perl builtin functions over system commands if they perform the same task (eg unlink $file vs system("rm -rf $file")

-----------------------------------------------------
Dr. Michael K. Neylon - mneylon-pm@masemware.com || "You've left the lens cap of your mind on again, Pinky" - The Brain
"I can see my house from here!"
It's not what you know, but knowing how to find it if you don't know that's important

In reply to Apple, quoting, and system() by Masem

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post, it's "PerlMonks-approved HTML":


  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, details, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, summary, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.