PHP is the new C [LWN.net]

PHP is the new C

Posted Oct 12, 2006 13:38 UTC (Thu) by jschrod (subscriber, #1646)
In reply to: PHP is the new C by mtk77
Parent article: Report: Vulnerability type distributions in CVE

That's not a problem; Perl uses execvp as long as there are no shell metacharacters in the string. Check out perldoc -f system, at the end of the first paragraph. And you can force it to sidestep the /bin/sh route by supplying the PROGRAM argument in any case.

Joachim

(Log in to post comments)

PHP is the new C

Posted Oct 12, 2006 16:47 UTC (Thu) by mtk77 (guest, #6040) [Link]

Yes, but. If I have a sub like:

sub system_list_or_die
{
    my $ret = system @_;
    return 0 unless $ret;
    # yes, this should use posix wait.h constants
    my $xval = $ret >> 8;
    die "@_ exited with status $xval" if $xval;
    die "@_ exited with signal ".($ret & 0xff);
}

then I might call it like:

system_list_or_die("/bin/ls", "-l");

OK so far. If I call it as:

system_list_or_die("/some path with spaces/ls", "-l")

all is well. But if I don't want any parameters:

system_list_or_die("/some path with spaces/ls")

it doesn't work as hoped, and there is no way to force it to (that I have been able to find). This is a big problem with hiding both versions behind the same API.

PHP is the new C

Posted Oct 12, 2006 16:51 UTC (Thu) by mtk77 (guest, #6040) [Link]

I retract all the above. The trick is:

system {$_[0]} @_;

Some more obvious syntaxes don't work.