...
However, this code will also reject valid directories if they contain characters not in the white list regex.
Compliant Solution (Shell Avoidance)
This compliant solution again sanitizes the untrusted user input. However, it uses the multi-arg form of open().
my $file;
my $dir = $ARGV0;
croak "Argument contains unsanitary characters, stopped" if ($dir =~ m|-A-Za-z0-9_/.~|);
open( my $listing, "-|", "ls", "-F", $dir) or croak "error executing command: stopped";
while (<$listing>) {
print "Result: $_";
}
close( $listing);
The perlfunc manpages states, regarding all but the first two arguments to open():
If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is "/bin/sh -c" on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to "execvp", which is more efficient.
So this form of open() is preferrable if your platform's shell might be set up incorrectly or maliciously.
Compliant Solution (Restricted Choice)
This compliant solution prevents command injection by passing only trusted strings to open(). While the user has control over which string is used, the user cannot provide string data directly to open().
...