Commits

Shlomi Fish committed c96625f

Add the list-form of pipe open.

  • Participants
  • Parent commits 3f891e5

Comments (0)

Files changed (3)

         - use closures instead.
     - calling too much for the shell for help.
     - missing semicolons in the last statements of blocks.
+    - list-form of open with potentially one argument:
+        - will be interpreted as a shell command.
+        - no way to avoid it for one argument.
+        - use IPC::Run or IPC::System::Simple
         - shell code injection.
         - cross-site-scripting / HTML injection.
         - SQL injection.
-    - list-form of open with potentially one argument:
-        - will be interpreted as a shell command.
-        - no way to avoid it for one argument.
-        - use IPC::Run or IPC::System::Simple
     - Using string eval.
         - Two or more /e flags for s/// .
     - Regular expressions starting or ending with .*? or .*

src/tutorials/bad-elements/index.html.wml

 
 </item>
 
+<item id="list-form-of-open-with-one-arg" h="List form of open with one argument.">
+
+<p>
+Recent versions of of perl introduced the list-forms of piping to and from a 
+command, such as <tt>open my $fh, '-|', 'fortune', $collection</tt> or
+<tt>open my $printer, '|-', 'lpr', '-Plp1'</tt>. However, not only they are
+not implemented on Windows and other UNIX-like systems yet, but when one passes 
+only one argument to them, they pass it to the shell verbatim.
+</p>
+
+<p>
+As a result, if one passes an array variable to them, as in:
+</p>
+
+<bad_code>
+open my $fh, '-|', @foo
+    or die "Could not open program! - $!"
+</bad_code>
+
+<p>
+One can pass only a single argument to <tt>@foo</tt>, which would be dangerous.
+To mitigate that, one should use the <cpan_self_dist d="IPC-Run" />
+or the <cpan_self_dist d="IPC-System-Simple" /> CPAN distributions.
+</p>
+
+</item>
+
 </main_list>
 
 #include "bad-elements-sources.wml"