Use IPC::System::Simple capturex instead of capture
capturex avoids using the shell at all, which is the
proper way to prevent shell meta-character injection.
Also remove a comment that would use the shell if
it were uncommented and changed from qq to qx.
See-also: http://bonedaddy.net/pabs3/log/2014/02/17/pid-preservation-society/
Paul Wise
6 years ago
22 | 22 | use warnings FATAL => 'all'; |
23 | 23 | use autodie qw(:all); |
24 | 24 | use v5.14; |
25 | use IPC::System::Simple qw(capture); | |
25 | use IPC::System::Simple qw(capturex); | |
26 | 26 | |
27 | 27 | $ENV{LC_ALL} = 'C'; |
28 | 28 | |
109 | 109 | sub get_build_ids_from_core |
110 | 110 | { |
111 | 111 | my ($filename) = @_; |
112 | my $output = capture("eu-unstrip -n --core=\Q$filename\E"); | |
112 | my $output = capturex(qw(eu-unstrip -n --core), $filename); | |
113 | 113 | |
114 | 114 | return parse_eu_unstrip($output); |
115 | 115 | } |
117 | 117 | sub get_build_ids_from_pid |
118 | 118 | { |
119 | 119 | my ($pid) = @_; |
120 | my $output = capture("eu-unstrip -n -p \Q$pid\E"); | |
120 | my $output = capturex(qw(eu-unstrip -n -p), $pid); | |
121 | 121 | chomp $output; |
122 | 122 | |
123 | 123 | return parse_eu_unstrip($output); |
129 | 129 | |
130 | 130 | my $output; |
131 | 131 | eval { |
132 | $output = capture("grep-aptavail -s Package -F Build-IDs \Q$id\E"); | |
132 | $output = capturex(qw(grep-aptavail -s Package -F Build-IDs), $id); | |
133 | 133 | }; |
134 | 134 | if ($@) { |
135 | 135 | return; |
150 | 150 | sub is_core_file |
151 | 151 | { |
152 | 152 | my ($filename) = (@_); |
153 | # warn qq{eu-readelf -n \Q$filename\E}; | |
154 | my $output = capture("eu-readelf -h \Q$filename\E"); | |
153 | my $output = capturex(qw(eu-readelf -h), $filename); | |
155 | 154 | if ($output =~ /^\s*Type:\s*CORE/m) { |
156 | 155 | return 1; |
157 | 156 | } |