我应该在 Perl 中转义 shell 参数吗? [英] Should I escape shell arguments in Perl?

问题描述

在 Perl 中使用 system() 调用时，是否必须转义 shellargs，还是自动完成?

When using system() calls in Perl, do you have to escape the shell args, or is that done automatically?

参数将是用户输入，所以我想确保这是不可利用的.

The arguments will be user input, so I want to make sure this isn't exploitable.

推荐答案

如果你使用 system $cmd, @args 而不是 system "$cmd @args" (一个数组而不是字符串)，那么您不必转义参数，因为没有调用外壳程序(请参阅 系统).system {$cmd} $cmd, @args 也不会调用 shell，即使 $cmd 包含元字符并且 @args 为空(这被记录为 exec).如果 args 来自用户输入(或其他不受信任的来源)，您仍然希望清除它们.请参阅 perlrun 文档中的 -T 和 perlsec 文档.

If you use system $cmd, @args rather than system "$cmd @args" (an array rather than a string), then you do not have to escape the arguments because no shell is invoked (see system). system {$cmd} $cmd, @args will not invoke a shell either even if $cmd contains metacharacters and @args is empty (this is documented as part of exec). If the args are coming from user input (or other untrusted source), you will still want to untaint them. See -T in the perlrun docs, and the perlsec docs.

如果您需要读取输出或将输入发送到命令，qx 和 readpipe 没有等效项.相反，使用 open my $output, "-|", $cmd, @args 或 open my $input, "|-", $cmd, @args 虽然这样不可移植，因为它需要一个真正的 fork 这意味着仅适用于 Unix...我认为.也许它可以通过模拟叉在 Windows 上运行.更好的选择是类似于 IPC::Run，它也将处理这种情况管道命令到其他命令的管道，系统的多参数形式和开放的 4 参数形式都无法处理.

If you need to read the output or send input to the command, qx and readpipe have no equivalent. Instead, use open my $output, "-|", $cmd, @args or open my $input, "|-", $cmd, @args although this is not portable as it requires a real fork which means Unix only... I think. Maybe it'll work on Windows with its simulated fork. A better option is something like IPC::Run, which will also handle the case of piping commands to other commands, which neither the multi-arg form of system nor the 4 arg form of open will handle.

这篇关于我应该在 Perl 中转义 shell 参数吗?的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！