Re^4: Asynchronous Program Spawning

If you do that as

system qq[program "$filename" &];
[download]

It won't matter if the filename contains spaces or not. That's a simple programming problem and hardly worthy of description as "security issue".

As for "injection attacks", I assume that you mean if the source of all or part of the command supplied to the system command is an untrusted external source, then care must be taken. I fail too see how the start command is any more or less of a security risk to invoking an untrusted command directly?

If you get data from untrusted sources, don't you have to be just as careful invoking that data as a command directly as you do invoking it indirectly via a command shell?

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

Comment on Re^4: Asynchronous Program Spawning Download Code

Replies are listed 'Best First'.
Re^5: Asynchronous Program Spawning by ikegami (Patriarch) on Feb 12, 2006 at 19:48 UTC
I didn't say it was impossible. I didn't say it was hard. I was just giving a warning. And apparently it was warranted, since your code suffers from the very bug I mentioned. It will fail when the file name contains a double-quote. If you get data from untrusted sources, don't you have to be just as careful invoking that data as a command directly as you do invoking it indirectly via a command shell? You have one less thing to protect yourself against. By using `system PRORAM, LIST`, you don't have to worry about special characters.	[reply] [d/l]
A reply falls below the community's threshold of quality. You may see it by logging in.