For security I would add one additional caution. When executing a command wherever possible use the full pathname. To prevent running a malicious file hidden in your PATH. Example: “/bin/ls” and not “ls”
Darryl Baker (he/him/his) Sr. System Administrator Distributed Application Platform Services Northwestern University 1800 Sherman Ave. Suite 6-600 – Box #39 Evanston, IL 60201-3715 darryl.ba...@northwestern.edu<mailto:darryl.ba...@northwestern.edu> (847) 467-6674 From: "Chas. Owens" <chas.ow...@gmail.com> Date: Tuesday, July 24, 2018 at 8:00 AM To: "Lauren C." <lau...@miscnote.net> Cc: "beginners@perl.org" <beginners@perl.org> Subject: Re: about system() call The first spawns a shell and can handle things like globs. This is less efficient, more powerful, and more dangerous (susceptible to code injection attacks) The second does not spawn a shell and therefore cannot handle globs. It is also less susceptible to code injection attacks. system "ls *.pl"; is equivalent to typing ls *.pl on the commandline. system "ls", "*.pl"; is equivalent to typing ls '*.pl' on the commandline (it the glob does not expand). Code injection attacks can occur when you use untrusted data in a something that runs code (like string eval) or executes programs (like system): my $user = untrusted_source(); system "ls /home/$user > /tmp/userfiles"; If the untrusted source returns "; cat /etc/passwd" then you will copy the passwd file to /tmp/userfiles instead of the intended output. It is always good to sanitize user inputs (ensure that the values are within the expected values) that are untrusted for this reason. If you are handling untrusted data often, it is a good idea to turn on taint mode in Perl. It will throw a runtime error if you try to use untrusted data without sanitizing it with a regex or other sanitizing function. See https://perldoc.perl.org/perlsec.html#Taint-mode<https://urldefense.proofpoint.com/v2/url?u=https-3A__perldoc.perl.org_perlsec.html-23Taint-2Dmode&d=DwMFaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=tdje61_VHSXp608oLofeaJnnzo2Sr9_Cdcp70bBEtQ8&m=XGBwPimigFzFtgtRJkNn3foVJixIgZNvHWYOMoOD770&s=ZUeigenQjnJsYANB88hLsbA2hRXl4DaRoUVKDs5aMgU&e=> for more information. On Tue, Jul 24, 2018 at 8:37 AM Lauren C. <lau...@miscnote.net<mailto:lau...@miscnote.net>> wrote: Hi, $ perl -le 'system "df -h"' $ perl -le 'system "df","-h"' The both two styles work fine. what's the difference between them and which is better usage? thanks. -- To unsubscribe, e-mail: beginners-unsubscr...@perl.org<mailto:beginners-unsubscr...@perl.org> For additional commands, e-mail: beginners-h...@perl.org<mailto:beginners-h...@perl.org> http://learn.perl.org/<https://urldefense.proofpoint.com/v2/url?u=http-3A__learn.perl.org_&d=DwMFaQ&c=yHlS04HhBraes5BQ9ueu5zKhE7rtNXt_d012z2PA6ws&r=tdje61_VHSXp608oLofeaJnnzo2Sr9_Cdcp70bBEtQ8&m=XGBwPimigFzFtgtRJkNn3foVJixIgZNvHWYOMoOD770&s=fPL147nggJcekL0MWTAS8XVzIXbKk6iwty68kIbBifE&e=>
