PHP is the new C
PHP is the new C
Posted Oct 12, 2006 9:15 UTC (Thu) by jschrod (subscriber, #1646)In reply to: PHP is the new C by dark
Parent article: Report: Vulnerability type distributions in CVE
Actually, Perl does this. Still, it seems that many programmers don't know it since I see lots of code where system() is called with a string (going via /bin/sh) instead of an array (going via fork/exec). Therefore, it's not only a matter of providing the functionality, it's a matter of promoting it and making it the `typical' method to do.
Joachim
Posted Oct 12, 2006 13:32 UTC (Thu)
by mtk77 (guest, #6040)
[Link] (3 responses)
Posted Oct 12, 2006 13:38 UTC (Thu)
by jschrod (subscriber, #1646)
[Link] (2 responses)
Joachim
Posted Oct 12, 2006 16:47 UTC (Thu)
by mtk77 (guest, #6040)
[Link] (1 responses)
Posted Oct 12, 2006 16:51 UTC (Thu)
by mtk77 (guest, #6040)
[Link]
The other problem with perl is that you can't use the array version of system() if you don't want to pass any args.PHP is the new C
That's not a problem; Perl uses execvp as long as there are no shell metacharacters in the string. Check out perldoc -f system, at the end of the first paragraph. And you can force it to sidestep the /bin/sh route by supplying the PROGRAM argument in any case.PHP is the new C
Yes, but. If I have a sub like:
PHP is the new C
then I might call it like:
sub system_list_or_die
{
my $ret = system @_;
return 0 unless $ret;
# yes, this should use posix wait.h constants
my $xval = $ret >> 8;
die "@_ exited with status $xval" if $xval;
die "@_ exited with signal ".($ret & 0xff);
}
OK so far. If I call it as:
system_list_or_die("/bin/ls", "-l");
all is well. But if I don't want any parameters:
system_list_or_die("/some path with spaces/ls", "-l")
it doesn't work as hoped, and there is no way to force it to (that I have been able to find). This is a big problem with hiding both versions behind the same API.
system_list_or_die("/some path with spaces/ls")
I retract all the above. The trick is:
PHP is the new C
Some more obvious syntaxes don't work.
system {$_[0]} @_;