4.4. String::ShellQuote

When invoking raw shell commands (instead of passing a list of command line arguments) one can easily cause a situation where an interpolated string given as argument will place arbitrary code in the shell. If for example we have the following qx call:

my $ls_output = qx/ls '$dir'/;

Then $dir may be set to "' ; rm -fr ~ ; '", which will make the shell delete our entire home directory.

To overcome such problems, one should make use of the String-ShellQuote module which provides functions for safely preventing shell-code injection.


Written by Shlomi Fish