问题描述
在使用电话,你有逃跑的外壳ARGS,或者是自动完成?
When using system() calls in Perl, do you have to escape the shell args, or is that done automatically?
该参数将用户输入的,所以我要确保这是不可利用。
The arguments will be user input, so I want to make sure this isn't exploitable.
推荐答案
如果您使用系统$ CMD,@args
,而不是系统$ CMD @args
(数组而不是字符串),那么你没有逃跑的论点,因为没有外壳被调用(见的)。 系统{$ CMD} $ CMD,@args
不会调用shell要么即使$ CMD包含元字符和@args是空的(这被记录为的)。如果参数是用户输入的到来,你仍然要解除污染他们。参见 -T
在文档和的文档。
If you use system $cmd, @args
rather than system "$cmd @args"
(an array rather than a string), then you do not have to escape the arguments because no shell is invoked (see system). system {$cmd} $cmd, @args
will not invoke a shell either even if $cmd contains metacharacters and @args is empty (this is documented as part of exec). If the args are coming from user input, you will still want to untaint them. See -T
in the perlrun docs, and the perlsec docs.
如果你需要阅读的输出或输入发送到命令, QX
和 readpipe
不等价的。相反,使用打开我的$输出, - |,$ CMD,@args
或打开我的$输入| - ,$ CMD ,@args
虽然因为它需要一个真正的叉
这只是意味着Unix上是不可移植的...我认为。也许它会在Windows上与它的模拟叉工作。更好的选择是像,这也将处理管道命令其他命令的情况下, ,既不系统的多arg格式也没有开4 arg格式来处理。
If you need to read the output or send input to the command, qx
and readpipe
have no equivalent. Instead, use open my $output, "-|", $cmd, @args
or open my $input, "|-", $cmd, @args
although this is not portable as it requires a real fork
which means Unix only... I think. Maybe it'll work on Windows with it's simulated fork. A better option is something like IPC::Run, which will also handle the case of piping commands to other commands, which neither the multi-arg form of system nor the 4 arg form of open will handle.
这篇关于我应该逃避外壳参数在Perl?的文章就介绍到这了,希望我们推荐的答案对大家有所帮助,也希望大家多多支持!