问题描述

在使用电话，你有逃跑的外壳ARGS，或者是自动完成？

When using system() calls in Perl, do you have to escape the shell args, or is that done automatically?

该参数将用户输入的，所以我要确保这是不可利用。

The arguments will be user input, so I want to make sure this isn't exploitable.

推荐答案

如果您使用系统$ CMD，@args ，而不是系统$ CMD @args（数组而不是字符串），那么你没有逃跑的论点，因为没有外壳被调用（见的）。 系统{$ CMD} $ CMD，@args 不会调用shell要么即使$ CMD包含元字符和@args是空的（这被记录为的）。如果参数是用户输入的到来，你仍然要解除污染他们。参见 -T 在文档和的文档。

If you use system $cmd, @args rather than system "$cmd @args" (an array rather than a string), then you do not have to escape the arguments because no shell is invoked (see system). system {$cmd} $cmd, @args will not invoke a shell either even if $cmd contains metacharacters and @args is empty (this is documented as part of exec). If the args are coming from user input, you will still want to untaint them. See -T in the perlrun docs, and the perlsec docs.

如果你需要阅读的输出或输入发送到命令， QX 和 readpipe 不等价的。相反，使用打开我的$输出， - |，$ CMD，@args 或打开我的$输入| - ，$ CMD ，@args 虽然因为它需要一个真正的叉这只是意味着Unix上是不可移植的...我认为。也许它会在Windows上与它的模拟叉工作。更好的选择是像，这也将处理管道命令其他命令的情况下， ，既不系统的多arg格式也没有开4 arg格式来处理。

If you need to read the output or send input to the command, qx and readpipe have no equivalent. Instead, use open my $output, "-|", $cmd, @args or open my $input, "|-", $cmd, @args although this is not portable as it requires a real fork which means Unix only... I think. Maybe it'll work on Windows with it's simulated fork. A better option is something like IPC::Run, which will also handle the case of piping commands to other commands, which neither the multi-arg form of system nor the 4 arg form of open will handle.

这篇关于我应该逃避外壳参数在Perl？的文章就介绍到这了，希望我们推荐的答案对大家有所帮助，也希望大家多多支持！