在 Perl 中编码时安全地执行系统命令 [英] Executing system commands safely while coding in Perl

问题描述

在 Perl 中编码时真的应该使用外部命令吗?我看到了它的几个缺点.它不是独立于系统的，而且可能存在安全风险.你怎么看?如果没有办法并且您必须使用 Perl 中的 shell 命令，那么执行该特定命令(例如检查 pid、uid 等)的最安全方法是什么?

Should one really use external commands while coding in Perl? I see several disadvantages of it. It's not system independent plus security risks might also be there. What do you think? If there is no way and you have to use the shell commands from Perl then what is the safest way to execute that particular command (like checking pid, uid etc)?

推荐答案

这取决于在 Perl 中复制功能的难度.如果我需要在某些东西上运行 m4 宏处理器，我不会想自己尝试在 Perl 中复制该功能，因为 http://search.cpan.org/ 看起来很合适，看来其他人也同意我的看法.在这种情况下，使用外部程序是明智的.另一方面，如果我需要读取目录的内容，那么 readdir() 等加上 stat() 或 lstat() 的组合 在 Perl 中比使用 ls 的输出更明智.

It depends on how hard it is going to be to replicate the functionality in Perl. If I needed to run the m4 macro processor on something, I'd not think of trying to replicate that functionality in Perl myself, and since there's no module on http://search.cpan.org/ that looks suitable, it would appear others agree with me. In that case, then, using the external program is sensible. On the other hand, if I needed to read the contents of a directory, then the combination of readdir() et al plus stat() or lstat() inside Perl is more sensible than futzing with the output of ls.

如果您需要执行命令，请仔细考虑如何调用它们.特别是，您可能希望避免 shell 解释参数，因此使用 的数组形式系统(另见exec) 等，而不是命令加参数的单个字符串(这意味着 shell 用于处理命令行).

If you need to execute commands, think very carefully about how you invoke them. In particular, you probably want to avoid the shell interpreting the arguments, so use the array form of system (see also exec), etc, rather than a single string for the command plus arguments (which means the shell is used to process the command line).

这篇关于在 Perl 中编码时安全地执行系统命令的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持IT屋！