Web lists-archives.com

Re: Potentially insecure Perl scripts




On 1/23/19 2:05 PM, Vincent Lefevre wrote:
> Hi,
> 
> I've just reported
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> 
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> 
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.
> 

Hi,

while gropdf lacks input sanitizationm which is definitely bad, the use
of diamond operator is totally fine and doesn't make scripts insecure.

One can run perl in tainted mode ( perl -T) to detect stuff like that.

Best,
Alex