Web lists-archives.com

Re: Potentially insecure Perl scripts




On Wed, Jan 23, 2019 at 04:44:07PM +0100, Vincent Lefevre wrote:
> On 2019-01-23 15:32:00 +0000, Ian Jackson wrote:
> > This is completely mad and IMO the bug is in perl, not in all of the
> > millions of perl scripts that used <> thinking it was a sensible thing
> > to write.
> 
> I agree that it would be better to drop this "feature" of Perl.
> It is probably never used, and probably useless (I would rather
> use the features from the shell if I need a pipe).

Almost unbelievably the rejected upstream bug about this
(https://rt.perl.org/Public/Bug/Display.html?id=2783) had people
claiming not only that it was a feature but that it was used in
tutorials and working code.

-T does seem to fix this for one-liners, although the error message is
less than obvious at first glance:

  $ perl -Tpe 's/^/got /' "whoami|"
  Insecure $ENV{PATH} while running with -T switch.

-- 
Colin Watson                                       [cjwatson@xxxxxxxxxx]