From 3040bec5b1e5157e58ffb25c66bc9db57e0a29e8 Mon Sep 17 00:00:00 2001
From: Donald Buczek <buczek@molgen.mpg.de>
Date: Mon, 19 Nov 2018 14:53:53 +0100
Subject: [PATCH] mxmount: Use safer version of qx

The perl qx operator (`cmd`) calls a shell when cmd contains shell
metacharacters. If our netgroup (accidentally) contains a shell meta
character, unexpected things might happen. Replace by safer code.
---
 mxmount/mxmount | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/mxmount/mxmount b/mxmount/mxmount
index 7c5c952..bf467e7 100755
--- a/mxmount/mxmount
+++ b/mxmount/mxmount
@@ -45,6 +45,8 @@ create_exports();
 
 system("exportfs -ra");
 
+sub save_qx { open my $pipe,'-|',@_; return join('',<$pipe>) }
+
 sub add_data0_if_not_present {
     my $allmp = $D{$hostname};
 
@@ -84,7 +86,7 @@ sub create_exports {
         my $hosts='';
         warn "export $mountpoint to $hostspec opts $opts\n";
         if (my ($group) = $hostspec=~/^@(.+)/) {
-            $hosts=`hostconfig --list $group`;                      # expanded group
+            $hosts=save_qx('/usr/sbin/hostconfig','--list',$group); # expanded group
             $hosts or warn "group $group is empty\n";
         } else {
             $hosts=$hostspec;                                       # single host