我应该逃避外壳参数在Perl

我应该逃避外壳参数在Perl

本文介绍了我应该逃避外壳参数在Perl?的处理方法,对大家解决问题具有一定的参考价值,需要的朋友们下面随着小编来一起学习吧!

问题描述

在使用电话,你有逃跑的外壳ARGS,或者是自动完成?

When using system() calls in Perl, do you have to escape the shell args, or is that done automatically?

该参数将用户输入的,所以我要确保这是不可利用。

The arguments will be user input, so I want to make sure this isn't exploitable.

推荐答案

如果您使用系统$ CMD,@args ,而不是系统$ CMD @args(数组而不是字符串),那么你没有逃跑的论点,因为没有外壳被调用(见的)。 系统{$ CMD} $ CMD,@args 不会调用shell要么即使$ CMD包含元字符和@args是空的(这被记录为的)。如果参数是用户输入的到来,你仍然要解除污染他们。参见 -T 在文档和的文档。

If you use system $cmd, @args rather than system "$cmd @args" (an array rather than a string), then you do not have to escape the arguments because no shell is invoked (see system). system {$cmd} $cmd, @args will not invoke a shell either even if $cmd contains metacharacters and @args is empty (this is documented as part of exec). If the args are coming from user input, you will still want to untaint them. See -T in the perlrun docs, and the perlsec docs.

如果你需要阅读的输出或输入发送到命令, QX readpipe 不等价的。相反,使用打开我的$输出, - |,$ CMD,@args 打开我的$输入| - ,$ CMD ,@args 虽然因为它需要一个真正的这只是意味着Unix上是不可移植的...我认为。也许它会在Windows上与它的模拟叉工作。更好的选择是像,这也将处理管道命令其他命令的情况下, ,既不系统的多arg格式也没有开4 arg格式来处理。

If you need to read the output or send input to the command, qx and readpipe have no equivalent. Instead, use open my $output, "-|", $cmd, @args or open my $input, "|-", $cmd, @args although this is not portable as it requires a real fork which means Unix only... I think. Maybe it'll work on Windows with it's simulated fork. A better option is something like IPC::Run, which will also handle the case of piping commands to other commands, which neither the multi-arg form of system nor the 4 arg form of open will handle.

这篇关于我应该逃避外壳参数在Perl?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!

08-01 02:18