[Catalyst] Re: How to redirect before some code excute
A. Pagaltzis
pagaltzis at gmx.de
Fri Oct 27 00:17:43 GMT 2006
* Jonathan Rockway <jon at jrock.us> [2006-10-26 22:10]:
> Basically you're entering into the fun game of trying to escape
> all possible bad inputs, which is pretty close to impossible.
Quoting for Unix shells is easy to get right: you turn all single
quotes in the string into the sequence
'\''
then surround the string with single quotes. That’s it, you’re
done.
> You can do better if you use the list form:
>
> system('date', '+%s');
>
> That will call execvp directly, meaning that quotes, slashes,
> etc. become meaningless.
Except then you can’t use `&` at the end of the command to put it
in the background as in the original suggestion, because that
requires shell to interpret the command.
> Anyway, you *can* invoke the shell from your app, but you're
> playing with fire and should be aware of the risks.
In general I would agree that shell should be avoided whenever
possible, simply because the fewer moving parts you have, the
more robust the overall system is. But when it really makes sense
to rely on shell, you shouldn’t fear using it either – certainly
it isn’t any more dangerous than any other instance of the
strings problem.
Regards,
--
Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list