Re: Potentially insecure Perl scripts
- Date: Wed, 23 Jan 2019 16:36:35 +0100
- From: Alex Mestiashvili <amestia@xxxxxxxxxxxxxxxx>
- Subject: Re: Potentially insecure Perl scripts
On 1/23/19 2:05 PM, Vincent Lefevre wrote:
> I've just reported
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.
while gropdf lacks input sanitizationm which is definitely bad, the use
of diamond operator is totally fine and doesn't make scripts insecure.
One can run perl in tainted mode ( perl -T) to detect stuff like that.