Tommy Nordgren wrote: > > Oct 26, 2005 kl. 7:56 PM skrev Wiggins d'Anconia: > >> Tommy Nordgren wrote: >> >>> >>> Oct 25, 2005 kl. 6:21 AM skrev Pant, Hridyesh: >>> >>> >>>> Hi All, >>>> How to extract zip file using perl program... >>>> >>>> Thanks >>>> Hridyesh >>>> >>>> -- To unsubscribe, e-mail: [EMAIL PROTECTED] >>>> For additional commands, e-mail: [EMAIL PROTECTED] >>>> <http://learn.perl.org/> <http://learn.perl.org/first-response> >>>> >>>> >>>> >>>> >>> >>> system '/usr/bin/unzip',@OPTIONS,$zipfile; >>> >>> >> >> Time for me to rant about how the above is unacceptable for anything >> other than a one off script. Shelling out using 'system' or backticks is >> a last resort and should be used with care and the proper precautions >> > > Calling system with multiple paramaters don't 'shell out' as you call it.' > It launches the tool in question directly, bypassing the shell entirely. > The main security concern of calling accientally a trojan horse earlier in > the users path, don't apply when using the array form of system, with an > absolute search path >
Ok, fork/exec'ing, technically you are correct, the shell doesn't get a chance to re-interpret the command line. You are also correct that you avoid a trojan horse when someone places something earlier in the path, of course there is nothing to say that /usr/bin/unzip isn't a trojan horse itself, assuming it exists at all. Regardless the above code still doesn't catch a missing executable, no permissions to run said executable, or errors thrown by that executable, or on the flip side that it was actually successful. Though I haven't benchmarked it, for common practices shelling out is generally also slower than its native Perl bretheren, and of course portability falls all to pieces. So for proper applications something like Archive::Zip would be significantly better from interface, security, portability, and efficiency standpoints. http://danconia.org > >> taken. The above lacks proper error handling, security safe guards, and >> is inefficient and non-portable. >> >> So the ML archives for further discussion of how to properly shell >> out... >> >> http://danconia.org >> >> -- >> To unsubscribe, e-mail: [EMAIL PROTECTED] >> For additional commands, e-mail: [EMAIL PROTECTED] >> <http://learn.perl.org/> <http://learn.perl.org/first-response> >> >> >> > > ------------------------------------- > This sig is dedicated to the advancement of Nuclear Power > Tommy Nordgren > [EMAIL PROTECTED] > > > > -- To unsubscribe, e-mail: [EMAIL PROTECTED] For additional commands, e-mail: [EMAIL PROTECTED] <http://learn.perl.org/> <http://learn.perl.org/first-response>