Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

Shell-escaping from perl

0 views
Skip to first unread message

C. Smith

unread,
Apr 7, 2004, 6:05:08 PM4/7/04
to

Suppose I want to invoke a shell command from perl and provide some user-supplied data as input to the shell command. The user-supplied input has to be escaped so the shell will not interpret any part of it. I already know how to write a regular expression to do this - this regular expression is littered throughout my code in far too many places. What I want to know is if there is a function in a standard perl module somewhere that will do this. Every time I copy and paste my homegrown regular expression, I worry I'm missing part of it, and it's not terribly readable. (I do not want to take my regular expression and make my own function out of it - this does not solve the problem for when I start a batch of new code because I'd have to cart that function around with me.)

Glenn Jackman

unread,
Apr 7, 2004, 6:31:47 PM4/7/04
to


quotemeta is probably what you want:

my $cmd = q{foo bar `nasty command`}
`echo $cmd`

my $safe = quotemeta $cmd
`echo $safe`

--
Glenn Jackman
NCF Sysadmin
gle...@ncf.ca

Jon Ericson

unread,
Apr 7, 2004, 7:05:25 PM4/7/04
to
C. Smith <cs3...@hotmail.com> writes:

> Suppose I want to invoke a shell command from perl and provide some
> user-supplied data as input to the shell command. The user-supplied
> input has to be escaped so the shell will not interpret any part of
> it.

You might consider using taint mode (-T). See the perlsec manpage.

> I already know how to write a regular expression to do this - this
> regular expression is littered throughout my code in far too many
> places. What I want to know is if there is a function in a standard
> perl module somewhere that will do this. Every time I copy and
> paste my homegrown regular expression, I worry I'm missing part of
> it, and it's not terribly readable.

Have you searched CPAN? I found something promising at
<http://search.cpan.org/src/ROSCH/String-ShellQuote-1.00/>.

> (I do not want to take my regular expression and make my own
> function out of it - this does not solve the problem for when I
> start a batch of new code because I'd have to cart that function
> around with me.)

Turn it into a module. Even better, submit it to CPAN. :-)

Jon

perl coder

unread,
Apr 8, 2004, 3:36:53 PM4/8/04
to
Glenn Jackman said:
> quotemeta is probably what you want:
>
> my $cmd = q{foo bar `nasty command`}
> `echo $cmd`
>
> my $safe = quotemeta $cmd
> `echo $safe`

I use that extensively when I need to pass arbitrary filenames through
the shell. It's a good starting point, but it's not 100% foolproof.
One case where it can break down is if the filename contains a dash in
it, and the shell command interprets that as a option (the getopt()
kind). You can get around that by giving the special option -- before
the filename, like this:

$qpath = quotemeta $path;
system("prog -x -y --blah -n 5 -- $qpath");

There might be other issues too, but that's all I can think of right
now.


--
No crazy stuff in my email. ;-)

0 new messages