[Catalyst] Re: [patch] Catalyst::Engine::HTTP exec() options

[Andy Grundman]

On Dec 5, 2007, at 2:20 AM, A. Pagaltzis wrote:

> * Chisel Wright <chisel at herlpacker.co.uk> [2007-12-05 00:00]:
>> -        exec $^X . ' "' . $0 . '" ' . join( ' ', @{ $options- 
>> >{argv} } );
>> +        exec $^X . ' "' . $0 . '" ' . join( ' ',  
>> map(qq{'$_'},@{ $options->{argv} }) );
>
> That’s brittle. A single quote in any of the arguments will break
> it. It’s like “fixing” an SQL injection hole by putting quotes
> around interpolated variables. Just as in that scenario, the
> robust fix is to actually shell-quote the variables:
>
>    q{'} . ( join q{'\\''}, split /'/, $_, -1 ) . q{'}
>
> But unless the command line is *supposed* to be interpreted by
> shell (and that seems unlikely to me), that’s still the wrong
> fix. The right fix is to use the list form of `exec`, which keeps
> the shell entirely out of the picture:
>
>    exec $^X, $0, @{ $options->{argv} };
>
> Hey lookit, that’s simpler to write too! :-)

Thanks guys, I've applied this fix.

-Andy