Thanks - I see it in the docs.
I don't see the need to avoid using the shell as I am running this in the shell and the are no non alphanumberic content (I stripped them out with regex) and this is not a web app. But it looks interesting - I'll look at it some more.
Larry Furnival Manager Instructional Media Lab Academic Computing Services/Computing Information Services Teachers College, Columbia University On Apr 14, 2005, at 1:45 PM, Jeremy Mates wrote:
* Lawrence Furnival <[EMAIL PROTECTED]>Here is I am in a loop through multi lines from the copied from the clipboard and being feed back one line at a time to the clipboard:
system "printf \"$_\" | pbcopy";
Whoa there! The above may allow a nefarious user to run arbitrary shell commands:
#!/usr/bin/perl -w use strict;
while (<DATA>) { system qq{printf "$_" | pbcopy}; }
__DATA__ asdf"; touch /tmp/gotcha
With a piped open, there is no security risk, as the shell is not involved:
#!/usr/bin/perl -w use strict;
while (<DATA>) { open PBCOPY, "|-" or exec 'pbcopy' or die "nuts: errno=$!\n"; print PBCOPY; close PBCOPY; }
__DATA__ asdf"; touch /tmp/gotcha
For more information on piped opens and security, consult:
http://sial.org/howto/perl/backticks/
http://perldoc.perl.org/perlipc.html
http://perldoc.perl.org/perlsec.html
