Re^2: Not able to use native linux commands in a perl script

Replies are listed 'Best First'.
Re^3: Not able to use native linux commands in a perl script by JavaFan (Canon) on Dec 13, 2010 at 21:31 UTC
The dangers are much overrated. They aren't specific to system, `` suffers from that as well (and system has a safer variant). However, if you accept input from untrusted sources, File::Copy is "dangerous" as well. But if you're in control of creating the command, neither option is more dangerous than you typing it on the command line.	[reply]
Re^4: Not able to use native linux commands in a perl script by Khariton (Sexton) on Dec 14, 2010 at 20:22 UTC
Copy is a copy... I mean in File::Copy input parameters has verifying for entered data. But if I use command system('cp '.$src.' '.$dst) and $dst can be changed by user, we have a big problem with executing any native linux commands. I'm not test this example, but this or like this must work. As example $dst='text.txt; cat /etc/passwd \| mail ...'. If this script will be using with root privilege...	[reply]
Re^5: Not able to use native linux commands in a perl script by JavaFan (Canon) on Dec 14, 2010 at 21:38 UTC
Yeah, but if $dst can be changed by a user, `File::Copy($src, $dst);` [download] can wipe any file you care about. Note that prevention of executing arbitrary commands is trivial using system: `system '/bin/cp', $src, $dst;` [download] Not any more dangerous than File::Copy. As example $dst='text.txt; cat /etc/passwd \| mail ...'. If this script will be using with root privilege... Yawn. If the script is executed with root privileges, and `$dst = '/etc/passwd'`, `File::Copy("blah", $dst);` isn't exactly harmless. Oh, and if you're going to accept data from others, you ought to be using taint mode anyway. And properly detaint your input.	[reply] [d/l] [select]