我应该逃避外壳参数在Perl？ [英] Should I escape shell arguments in Perl?

问题描述

在使用系统（）在Perl 电话，你有逃跑的外壳ARGS，或者是自动完成？

When using system() calls in Perl, do you have to escape the shell args, or is that done automatically?

该参数将用户输入的，所以我要确保这是不可利用。

The arguments will be user input, so I want to make sure this isn't exploitable.

推荐答案

如果您使用系统$ CMD，@args ，而不是系统$ CMD @args（数组而不是字符串），那么你没有逃跑的论点，因为没有外壳被调用（见的system ）。 系统{$ CMD} $ CMD，@args 不会调用shell要么即使$ CMD包含元字符和@args是空的（这被记录为的 EXEC ）。如果参数是用户输入的到来，你仍然要解除污染他们。参见 -T 在 perlrun 文档和的 perlsec 文档。

If you use system $cmd, @args rather than system "$cmd @args" (an array rather than a string), then you do not have to escape the arguments because no shell is invoked (see system). system {$cmd} $cmd, @args will not invoke a shell either even if $cmd contains metacharacters and @args is empty (this is documented as part of exec). If the args are coming from user input, you will still want to untaint them. See -T in the perlrun docs, and the perlsec docs.

如果你需要阅读的输出或输入发送到命令， QX 和 readpipe 不等价的。相反，使用打开我的$输出， - |，$ CMD，@args 或打开我的$输入| - ，$ CMD ，@args 虽然因为它需要一个真正的叉这只是意味着Unix上是不可移植的...我认为。也许它会在Windows上与它的模拟叉工作。更好的选择是像 IPC ::运行，这也将处理管道命令其他命令的情况下， ，既不系统的多arg格式也没有开4 arg格式来处理。

If you need to read the output or send input to the command, qx and readpipe have no equivalent. Instead, use open my $output, "-|", $cmd, @args or open my $input, "|-", $cmd, @args although this is not portable as it requires a real fork which means Unix only... I think. Maybe it'll work on Windows with it's simulated fork. A better option is something like IPC::Run, which will also handle the case of piping commands to other commands, which neither the multi-arg form of system nor the 4 arg form of open will handle.

这篇关于我应该逃避外壳参数在Perl？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！