Web lists-archives.com

Re: Potentially insecure Perl scripts




Hi!

On Wed, 2019-01-23 at 14:05:54 +0100, Vincent Lefevre wrote:
> I've just reported
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> 
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> 
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.

Part of the problem might also be that perlcritic recommands this in its
InputOutput::ProhibitExplicitStdin policy, you can see the description
with «perlcritic --doc InputOutput::ProhibitExplicitStdin».

For dpkg, for example, I completely disabled that policy as bogus, when
hooking the perlcritic checks in:

  <https://git.dpkg.org/git/dpkg/dpkg.git/tree/t/critic/perlcriticrc#n67>

Thanks,
Guillem