On Tue, Jun 10, 2003 at 04:45:22PM -0600, Nathan Vonnahme wrote:
> > 
> >    my @command = map { s/"/\\"/g; qq["$_"] }  @args;
> yes, that would be perfect.  You could use that line everywhere,
> including doc2txt.pm and pdf2*.pm

Ok, I added that, but it still is not secure, but it's not meant to be.  
It was suppose to preserve quotes used for phrases and spaces in file 
names.

A better way would be to use single quotes on *nix and fallback to
double quotes on Windows.  Or better, write some portable and secure
"run_program()" function that works everywhere. Too many platforms to 
worry about.

The above is easily bypassed by using a backslash in the file name. 
Get a file named something like:

  \"; foo -rf /; \"

and you are in business.  It's a common error seen in many CGI programs 
to try and escape away the shell metas.  The only answer is to know the 
shell only allow known good chars.  Bypass the shell when possible.



-- 
Bill Moseley
moseley@hank.org