Security problems with: system "printf \"$_\" | pbcopy"

* Lawrence Furnival <lrf10@xxxxxxxxxxxx>
> Here is I am in a loop through multi lines from the copied from the
> clipboard and being feed back one line at a time to the clipboard:
> 
>       system "printf \"$_\" | pbcopy";

Whoa there! The above may allow a nefarious user to run arbitrary
shell commands:

  #!/usr/bin/perl -w
  use strict;

  while (<DATA>) {
    system qq{printf "$_" | pbcopy};
  } 

  __DATA__
  asdf"; touch /tmp/gotcha

With a piped open, there is no security risk, as the shell is not
involved:

  #!/usr/bin/perl -w
  use strict;

  while (<DATA>) {
    open PBCOPY, "|-" or exec 'pbcopy' or die "nuts: errno=$!\n";
    print PBCOPY;
    close PBCOPY;
  } 

  __DATA__
  asdf"; touch /tmp/gotcha

For more information on piped opens and security, consult:

http://sial.org/howto/perl/backticks/

http://perldoc.perl.org/perlipc.html

http://perldoc.perl.org/perlsec.html