Re: Potentially insecure Perl scripts
Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> Vincent Lefevre writes ("Potentially insecure Perl scripts"):
> > I've just reported
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> > against gropdf (also reported upstream to bug-groff), about the use of
> > the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> > command execution, e.g. when using wildcards.
> > I've noticed that some other Perl scripts also use this filehandle and
> > might be affected by the same issue.
> OMFG. This is worse than shellshock.
> $ perl -pe 's/^/got /' "whoami|"
> got iwj
Apparently this has been klnown about for EIGHTEEN YEARS
and no-one has fixed it or even documented it.
I think this is a serious bug in Perl which should be fixed in a
Debian Perl maintainers, can you please tell me whether you agree, and
if so whether you intend to prepare a security update ?
IMO the correct behaviour for <> and -p and -e should be to special
case "-" (which usual filename argument unquoting will often deal
with) and otherwise use the three-argument form of the builtin
open. The tiny number of programs broken by such a change will be
massively outweighed by the large number of hideous security bugs
which will be fixed.
Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.