Web lists-archives.com

Re: Potentially insecure Perl scripts




Russ Allbery writes:
> Ben Hutchings writes:
>> People have said this about ASLR, protected symlinks, and many other
>> kinds of security hardening changes.  We made them anyway and took the
>> temporary pain for a long-term security gain.
>
> Well, Perl has a deprecation mechanism with warnings and so forth,
> although I don't think Perl has ever actively broken a feature outside of
> "use <version>" with a later version, except for features marked as
> experimental.  But I suppose it's possible.

'.' was eventually removed from @INC by default.  It also wasn't seen as
a security problem when I reported it as such (or not worth fixing at
the time), but only years later when someone else reported it again.  So
maybe awareness changed a bit.

But "<>" isn't the only problem, there are way too many uses of the
two-argument form of Perl's "open" too...

Ansgar