On Sat, Dec 22, 2001 at 01:53:47AM -0800, Harry Souders wrote:
> system("rm -- $filename");
I did not explain this fully in my last post, but I strongly recommend always
passing system() a list of string rather than a single string argument. If
there is one string arg (e.g., "rm foo"), perl emulates system(3), which
means that the string is interpreted by /bin/sh. I imagine I do not need to
explain to this group why that is a bad idea when dealing with arbitrary
strings.
It is much better to use system('command', 'arg1', 'arg2', ... 'arg n'). In
this case, the program named by the first argument is called (via fork(2) and
execvp(3)) directly by perl, without a shell. The potetial security problem
is thereby eliminated.
As Harry pointed out, rm(1) chokes on filenames that begin with a hyphen. All
cases I can think of should be covered by system('/bin/rm', '--', $filename).
--
Henry House
The attached file is a digital signature. See <http://romana.hajhouse.org/pgp>
for information. My OpenPGP key: <http://romana.hajhouse.org/hajhouse.asc>.
msg00829/pgp00000.pgp
Description: PGP signature
