[Catalyst] Re: [patch] Catalyst::Engine::HTTP exec() options
A. Pagaltzis
pagaltzis at gmx.de
Wed Dec 5 07:20:23 GMT 2007
* Chisel Wright <chisel at herlpacker.co.uk> [2007-12-05 00:00]:
> - exec $^X . ' "' . $0 . '" ' . join( ' ', @{ $options->{argv} } );
> + exec $^X . ' "' . $0 . '" ' . join( ' ', map(qq{'$_'},@{ $options->{argv} }) );
That’s brittle. A single quote in any of the arguments will break
it. It’s like “fixing” an SQL injection hole by putting quotes
around interpolated variables. Just as in that scenario, the
robust fix is to actually shell-quote the variables:
q{'} . ( join q{'\\''}, split /'/, $_, -1 ) . q{'}
But unless the command line is *supposed* to be interpreted by
shell (and that seems unlikely to me), that’s still the wrong
fix. The right fix is to use the list form of `exec`, which keeps
the shell entirely out of the picture:
exec $^X, $0, @{ $options->{argv} };
Hey lookit, that’s simpler to write too! :-)
--
*AUTOLOAD=*_;sub _{s/(.*)::(.*)/print$2,(",$\/"," ")[defined wantarray]/e;$1}
&Just->another->Perl->hack;
#Aristotle Pagaltzis // <http://plasmasturm.org/>
More information about the Catalyst
mailing list