Shell-escaping from perl

[C. Smith]

Suppose I want to invoke a shell command from perl and provide some user-supplied data as input to the shell command. The user-supplied input has to be escaped so the shell will not interpret any part of it. I already know how to write a regular expression to do this - this regular expression is littered throughout my code in far too many places. What I want to know is if there is a function in a standard perl module somewhere that will do this. Every time I copy and paste my homegrown regular expression, I worry I'm missing part of it, and it's not terribly readable. (I do not want to take my regular expression and make my own function out of it - this does not solve the problem for when I start a batch of new code because I'd have to cart that function around with me.)

 

[Glenn Jackman]

Suppose I want to invoke a shell command from perl and provide some
user-supplied data as input to the shell command. The user-supplied
input has to be escaped so the shell will not interpret any part of
it. I already know how to write a regular expression to do this -
this regular expression is littered throughout my code in far too
many places. What I want to know is if there is a function in a
standard perl module somewhere that will do this. Every time I copy
and paste my homegrown regular expression, I worry I'm missing part
of it, and it's not terribly readable. (I do not want to take my
regular expression and make my own function out of it - this does not
solve the problem for when I start a batch of new code because I'd
have to cart that function around with me.)

quotemeta is probably what you want:

my $cmd = q{foo bar `nasty command`}
`echo $cmd`

my $safe = quotemeta $cmd
`echo $safe`

 

[Jon Ericson]

Suppose I want to invoke a shell command from perl and provide some
user-supplied data as input to the shell command. The user-supplied
input has to be escaped so the shell will not interpret any part of
it.

You might consider using taint mode (-T). See the perlsec manpage.

I already know how to write a regular expression to do this - this
regular expression is littered throughout my code in far too many
places. What I want to know is if there is a function in a standard
perl module somewhere that will do this. Every time I copy and
paste my homegrown regular expression, I worry I'm missing part of
it, and it's not terribly readable.

Have you searched CPAN? I found something promising at

(I do not want to take my regular expression and make my own
function out of it - this does not solve the problem for when I
start a batch of new code because I'd have to cart that function
around with me.)

Turn it into a module. Even better, submit it to CPAN.

Jon

 

[perl coder]

Glenn Jackman said:

quotemeta is probably what you want:

my $cmd = q{foo bar `nasty command`}
`echo $cmd`

my $safe = quotemeta $cmd
`echo $safe`

I use that extensively when I need to pass arbitrary filenames through
the shell. It's a good starting point, but it's not 100% foolproof.
One case where it can break down is if the filename contains a dash in
it, and the shell command interprets that as a option (the getopt()
kind). You can get around that by giving the special option -- before
the filename, like this:

$qpath = quotemeta $path;
system("prog -x -y --blah -n 5 -- $qpath");

There might be other issues too, but that's all I can think of right
now.