Since I'm looking at the code anyway, I notice that there's a bunch of command execution using qx{} which IIRC is equivalent to backticks, and potentially vulnerable to shell injection. This should probably be replaced with `open` or `system`with arguments passed as an array.
On that qx again:
Is it really a security issue if I do:
qx{./hook-start} if (-x './hook-start');
And similar with the other hooks?
I mean that are shell scripts the user writes himself as these should be executed on certain events. How is this supposed to create a shell injection?
That would be the case if the argument to qx would be (there are other places) in a variable - yes?
But not in these cases. Just asking...
Rico