PHP is the new C [LWN.net]

PHP is the new C

Posted Oct 12, 2006 13:32 UTC (Thu) by mtk77 (guest, #6040)
In reply to: PHP is the new C by jschrod
Parent article: Report: Vulnerability type distributions in CVE

The other problem with perl is that you can't use the array version of system() if you don't want to pass any args.

(Log in to post comments)

PHP is the new C

Posted Oct 12, 2006 13:38 UTC (Thu) by jschrod (subscriber, #1646) [Link]

That's not a problem; Perl uses execvp as long as there are no shell metacharacters in the string. Check out perldoc -f system, at the end of the first paragraph. And you can force it to sidestep the /bin/sh route by supplying the PROGRAM argument in any case.

Joachim

PHP is the new C

Posted Oct 12, 2006 16:47 UTC (Thu) by mtk77 (guest, #6040) [Link]

Yes, but. If I have a sub like:

sub system_list_or_die
{
    my $ret = system @_;
    return 0 unless $ret;
    # yes, this should use posix wait.h constants
    my $xval = $ret >> 8;
    die "@_ exited with status $xval" if $xval;
    die "@_ exited with signal ".($ret & 0xff);
}

then I might call it like:

system_list_or_die("/bin/ls", "-l");

OK so far. If I call it as:

system_list_or_die("/some path with spaces/ls", "-l")

all is well. But if I don't want any parameters:

system_list_or_die("/some path with spaces/ls")

it doesn't work as hoped, and there is no way to force it to (that I have been able to find). This is a big problem with hiding both versions behind the same API.

PHP is the new C

Posted Oct 12, 2006 16:51 UTC (Thu) by mtk77 (guest, #6040) [Link]

I retract all the above. The trick is:

system {$_[0]} @_;

Some more obvious syntaxes don't work.