vinoth.ree has asked for the wisdom of the Perl Monks concerning the following question:

When using system() calls in Perl, do you have to escape the shell args, or is that done automatically? The arguments will be user input, so I want to make sure this isn't exploitable.

Vinoth,G
  • Comment on Should I escape shell arguments in Perl?

Replies are listed 'Best First'.
Re: Should I escape shell arguments in Perl?
by moritz (Cardinal) on Apr 20, 2009 at 09:17 UTC
    If you use the LIST form of system, you don't need to escape anything.
[reply]
Re: Should I escape shell arguments in Perl?
by Utilitarian (Vicar) on Apr 20, 2009 at 09:53 UTC
    If your user is providing the args, you will need to escape them. & && || ; will all allow access to the command line if you don't escape them.

    While the system(@args)approach avoids the need to escape args from a functional perspective, from a security perspective they will need to be escaped.

[reply]
      While the system(@args)approach avoids the need to escape args from a functional perspective, from a security perspective they will need to be escaped.

      Could you explain what do you mean in more detail?

[reply]
        If you use system in the following fashion you don't need to worry about quotes, shell vars etc.. being interpreted by Perl. 
        @args=qw(command arg1 arg2);
system(@args);

        [download]
        Oh, and on testing not by the shell either
        ~$ perl -e '@args=qw(echo Hello;echo World);system(@args);'
Hello;echo World

        [download]
        So it prevents this form of abuse by default, I wasn't aware of that feature at all. Thanks
[reply]
[d/l]
[select]
Re: Should I escape shell arguments in Perl?
by Corion (Patriarch) on Apr 20, 2009 at 13:21 UTC
[reply]

Back to Seekers of Perl Wisdom