in reply to Re^3: Question using system.
in thread Question using system.

Perhaps I don't understand IPC as well as I thought I did. ikegami, would you mind explaining why this is supposed to be better? 


-- 
Human history becomes more and more a race between education and catastrophe. -- HG Wells

Replies are listed 'Best First'.
Re^5: Question using system.
by ikegami (Patriarch) on Jul 10, 2008 at 20:54 UTC

    It wasn't required for that particular command, but it avoids the need for shell quoting. 

    # XXX Buggy and susceptible to injection attacks.
open(my $cmd, "getfilesdata $file |")

# Fixed
open(my $cmd, '-|', 'getfilesdata', $file)

    [download]
[reply]
[d/l]

      Sorry, I'm still unclear. I can see the 'buggy' part - e.g., specifying a "filename" containing odd characters which would cause Perl to barf on syntax - but injection attacks? Searching the Web doesn't come up with anything other than SQL injection attacks. 

      
-- 
Human history becomes more and more a race between education and catastrophe. -- HG Wells
[reply]

        An injection attack occurs when data is treated as code, possibly due to improper escaping.
        It can occur in SQL statements.
        It can occur in shell command lines.
        It can occur in evaled strings.
        It can occur in HTML (known as Cross-Site Scripting)
        etc.

        What if $file holds "| rm -rf /"? It's even a perfectly valid path, so it's not a validation issue.

        Update: Added links. Refined definition.

[reply]
[d/l]

In Section Seekers of Perl Wisdom