> For example: > > <code> sub WriteSecondaryClipboard ( $Str ) { # <ctrl><c>
>my $Cmd = "echo \"$Str\" | xclip -selection clipboard";
> shell $Cmd;
> } > </code> > > problem solved.
Please don't forget that if $Str can be modified by a user or outside
process somehow, you've opened the door to remote code execution here.
Imagine $Str being something like
hello, this is part of the echo" | rm -rf / | "and an opening quote
to make the rest of the code work again
and it'll do A Bad Thing*
If you ever heard of "useless use of cat", you might understand what i
mean when i say this is a "useless use of echo".
Instead of using the shell to do a redirect from echo, you can just run
the xclip process directly from perl6 and pass in the text you want it
to receive. That way there's no chance for "code injection" or any other
way things could go wrong.
For example, if your $Str contains a single ", here's what you get:
> /bin/sh: -c: line 1: unexpected EOF while looking for matching `"'
> /bin/sh: -c: line 2: syntax error: unexpected end of file
> The spawned command 'echo "oh my "what do we have here
> " | cat' exited unsuccessfully (exit code: 1)
> in block <unit> at -e line 1
Or what if there's backtick quotes?
> timo@schmand ~> perl6 -e 'my $Str = $*IN.slurp-rest(:close); shell
> qq/echo "$Str" | cat/'
> Hey, you are totally running `uname`.
> Hey, you are totally running Linux.
Or what if there's ANSI escape codes?
There's no end to what tomfoolery someone who can control $Str can do to
your system.
Hope that helps!
- Timo
* yes, i know about --no-preserve-root and all that. "rm -rf /" is a
very iconic phrase for "mess up your computer real bad", though.
