save following code as test.pl
#! /usr/bin/perl -wT
use Getopt::Long(); use strict;
$ENV{'PATH'} = '/bin:/usr/bin:/sbin'; delete @ENV{'IFS', 'CDPATH', 'ENV', 'BASH_ENV'};
MAIN: { my ($file); Getopt::Long::GetOptions('file:s', \$file); system("echo $file"); }
$ test.pl --file blah Insecure dependency in system while running with -T switch at test.pl line 12. $ test.pl --file=blah blah $ perl -e 'print "Wtf???\n";'
… that it’s because in the --file=blah case, the parameter gets extracted with a regex match and in the --file blah case, it’s just taken verbatim from @ARGV.
