From 20914e37530022957ee16397ac9fa7270088479c Mon Sep 17 00:00:00 2001 From: Viktor Szakats Date: Sun, 22 Mar 2026 02:42:17 +0100 Subject: [PATCH] perl: harden external command invocations In `adddocsref.pl`, `checksrc-all.pl`, `singleuse.pl` and tests 307, 1013, 1022, 1275, 1707, 1708, 1710. Closes #21097 --- docs/examples/adddocsref.pl | 6 ++++-- scripts/checksrc-all.pl | 5 +++-- scripts/singleuse.pl | 9 ++++----- tests/data/test1707 | 2 +- tests/data/test1708 | 2 +- tests/data/test1710 | 2 +- tests/libtest/test1013.pl | 2 +- tests/libtest/test1022.pl | 2 +- tests/libtest/test307.pl | 2 +- tests/test1275.pl | 6 +++++- tests/test1707.pl | 9 ++------- 11 files changed, 24 insertions(+), 23 deletions(-) diff --git a/docs/examples/adddocsref.pl b/docs/examples/adddocsref.pl index 033dbf2124..cbc48c0407 100755 --- a/docs/examples/adddocsref.pl +++ b/docs/examples/adddocsref.pl @@ -28,6 +28,8 @@ use strict; use warnings; +use File::Copy; + my $docroot="https://curl.se/libcurl/c"; for my $f (@ARGV) { @@ -56,6 +58,6 @@ for my $f (@ARGV) { close(F); close(NEW); - system("mv $f $f.org"); - system("mv $f.new $f"); + move($f, "$f.org"); + move("$f.new", $f); } diff --git a/scripts/checksrc-all.pl b/scripts/checksrc-all.pl index a2bdaaec75..5b1cba7af6 100755 --- a/scripts/checksrc-all.pl +++ b/scripts/checksrc-all.pl @@ -13,7 +13,7 @@ use Cwd 'abs_path'; my @files; my $is_git = 0; if(system('git rev-parse --is-inside-work-tree >/dev/null 2>&1') == 0) { - @files = `git ls-files \"*.[ch]\"`; + open(O, '-|', 'git', 'ls-files', '*.[ch]') || die; push @files, ; close(O); $is_git = 1; } else { @@ -33,7 +33,8 @@ my $anyfailed = 0; for my $dir (@dirs) { if($is_git) { - @files = `git ls-files \"$dir/*.[ch]\"`; + @files = (); + open(O, '-|', 'git', 'ls-files', "$dir/*.[ch]") || die; push @files, ; close(O); chomp(@files); } else { diff --git a/scripts/singleuse.pl b/scripts/singleuse.pl index 8b5c155362..9573342150 100755 --- a/scripts/singleuse.pl +++ b/scripts/singleuse.pl @@ -36,9 +36,9 @@ use strict; use warnings; -my $unittests=""; +my @unittests; if(@ARGV && $ARGV[0] eq "--unit") { - $unittests = "tests/unit "; + push @unittests, 'tests/unit'; shift @ARGV; } @@ -167,7 +167,7 @@ my %api = ( sub doublecheck { my ($f, $used) = @_; - open(F, "git grep -Fwle '$f' -- lib ${unittests}projects|"); + open(F, '-|', 'git', 'grep', '-Fwle', $f, '--', 'lib', @unittests, 'projects'); my @also; while() { my $e = $_; @@ -182,8 +182,7 @@ sub doublecheck { return @also; } -open(N, "nm $file|") || - die; +open(N, '-|', 'nm', $file) || die; my %exist; my %uses; diff --git a/tests/data/test1707 b/tests/data/test1707 index efd5f47d2c..9515640d71 100644 --- a/tests/data/test1707 +++ b/tests/data/test1707 @@ -17,7 +17,7 @@ Verify curl -h --insecure -%SRCDIR/test1707.pl %CURL --insecure %LOGDIR/help%TESTNUMBER ../docs/cmdline-opts/curl.txt +%SRCDIR/test1707.pl %CURL --insecure ../docs/cmdline-opts/curl.txt diff --git a/tests/data/test1708 b/tests/data/test1708 index a409fe806c..f2a1906386 100644 --- a/tests/data/test1708 +++ b/tests/data/test1708 @@ -17,7 +17,7 @@ Verify curl -h -F -%SRCDIR/test1707.pl %CURL -F %LOGDIR/help%TESTNUMBER ../docs/cmdline-opts/curl.txt +%SRCDIR/test1707.pl %CURL -F ../docs/cmdline-opts/curl.txt diff --git a/tests/data/test1710 b/tests/data/test1710 index d2c592983f..b87b580efe 100644 --- a/tests/data/test1710 +++ b/tests/data/test1710 @@ -17,7 +17,7 @@ Verify curl -h --no-clobber -%SRCDIR/test1707.pl %CURL --no-clobber %LOGDIR/help%TESTNUMBER ../docs/cmdline-opts/curl.txt +%SRCDIR/test1707.pl %CURL --no-clobber ../docs/cmdline-opts/curl.txt diff --git a/tests/libtest/test1013.pl b/tests/libtest/test1013.pl index 98ea642044..a3745c108b 100755 --- a/tests/libtest/test1013.pl +++ b/tests/libtest/test1013.pl @@ -48,7 +48,7 @@ my @curl = split / /,$1; # Read the output of curl-config my @curl_config; -open(CURLCONFIG, "sh $ARGV[0] --$what|") || die "Cannot get curl-config $what list\n"; +open(CURLCONFIG, '-|', 'sh', $ARGV[0], "--$what") || die "Cannot get curl-config $what list\n"; while() { chomp; $_ = lc($_) if($what eq "protocols"); # accept uppercase protocols in curl-config diff --git a/tests/libtest/test1022.pl b/tests/libtest/test1022.pl index 7309372d22..31fb98f1a4 100755 --- a/tests/libtest/test1022.pl +++ b/tests/libtest/test1022.pl @@ -44,7 +44,7 @@ close CURL; my $curlconfigversion; # Read the output of curl-config --version/--vernum -open(CURLCONFIG, "sh $ARGV[0] --$what|") || die "Cannot get curl-config --$what list\n"; +open(CURLCONFIG, '-|', 'sh', $ARGV[0], "--$what") || die "Cannot get curl-config --$what list\n"; $_ = ; chomp; my $filever=$_; diff --git a/tests/libtest/test307.pl b/tests/libtest/test307.pl index bef5ebae14..ddfa67be48 100755 --- a/tests/libtest/test307.pl +++ b/tests/libtest/test307.pl @@ -30,7 +30,7 @@ if($#ARGV != 0) { print "Usage: $0 curl-executable\n"; exit 3; } -if(!open(CURL, "$ARGV[0] -s --engine list|")) { +if(!open(CURL, '-|', $ARGV[0], '-s', '--engine', 'list')) { print "Cannot get SSL engine list\n"; exit 2; } diff --git a/tests/test1275.pl b/tests/test1275.pl index 11c4b98646..e3f5802577 100755 --- a/tests/test1275.pl +++ b/tests/test1275.pl @@ -28,7 +28,11 @@ use warnings; my $root=$ARGV[0] || ".."; -my @m = `git ls-files -- $root`; +my @m; +if(open(O, '-|', 'git', 'ls-files', '--', $root)) { + push @m, ; + close(O); +} my $errors = 0; diff --git a/tests/test1707.pl b/tests/test1707.pl index 249d2914f1..14964a1c00 100755 --- a/tests/test1707.pl +++ b/tests/test1707.pl @@ -32,7 +32,6 @@ use warnings; my $curl = shift @ARGV; my $opt = shift @ARGV; -my $output = shift @ARGV; my $txt = shift @ARGV; my $longopt; @@ -45,14 +44,10 @@ else { } # first run the help command -system("$curl -h $opt > $output"); -my @curlout; -open(O, "<$output"); -push @curlout, ; -close(O); +my @curlout; open(O, '-|', $curl, '-h', $opt) || die; push @curlout, ; close(O); # figure out the short+long option combo using -h all*/ -open(C, "$curl -h all|"); +open(C, '-|', $curl, '-h', 'all'); if($shortopt) { while() { if(/^ +$opt, ([^ ]*)/) {