Re: Potentially insecure Perl scripts
- Date: Thu, 24 Jan 2019 14:55:58 +0100
- From: Guillem Jover <guillem@xxxxxxxxxx>
- Subject: Re: Potentially insecure Perl scripts
On Wed, 2019-01-23 at 14:05:54 +0100, Vincent Lefevre wrote:
> I've just reported
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.
Part of the problem might also be that perlcritic recommands this in its
InputOutput::ProhibitExplicitStdin policy, you can see the description
with «perlcritic --doc InputOutput::ProhibitExplicitStdin».
For dpkg, for example, I completely disabled that policy as bogus, when
hooking the perlcritic checks in: