Re: Should I escape shell arguments in Perl?

If your user is providing the args, you will need to escape them. & && || ; will all allow access to the command line if you don't escape them.

While the system(@args)approach avoids the need to escape args from a functional perspective, from a security perspective they will need to be escaped.

Comment on Re: Should I escape shell arguments in Perl?

Replies are listed 'Best First'.
Re^2: Should I escape shell arguments in Perl? by salva (Canon) on Apr 20, 2009 at 10:50 UTC
While the system(@args)approach avoids the need to escape args from a functional perspective, from a security perspective they will need to be escaped. Could you explain what do you mean in more detail?	[reply]
Re^3: Should I escape shell arguments in Perl? by Utilitarian (Vicar) on Apr 20, 2009 at 11:07 UTC
If you use system in the following fashion you don't need to worry about quotes, shell vars etc.. being interpreted by Perl. `@args=qw(command arg1 arg2); system(@args);` [download] Oh, and on testing not by the shell either `~$ perl -e '@args=qw(echo Hello;echo World);system(@args);' Hello;echo World` [download] So it prevents this form of abuse by default, I wasn't aware of that feature at all. Thanks	[reply] [d/l] [select]