Re: Potentially insecure Perl scripts
- Date: Thu, 24 Jan 2019 15:45:32 +0100
- From: Vincent Lefevre <vincent@xxxxxxxxxx>
- Subject: Re: Potentially insecure Perl scripts
On 2019-01-24 11:12:43 +0100, Alex Mestiashvili wrote:
> On 1/24/19 2:40 AM, Vincent Lefevre wrote:
> But I disagree that a language can be considered insecure, just because
Note: just a feature, not the language itself.
> it lets you shoot in the foot.
> The first thing I learned when doing CGI coding is to sanitize the
> input. That's the root problem in the most cases IMHO.
Not really: The point is that if there were real filenames as usual
(possibly with the safe and common exception for "-"), there would
be nothing to sanitize. And as most developers thought these were
real filenames (due to past boggus documentation), they did not try
to sanitize @ARGV. Hence the issue.
> It's also good to see that perl's documentation gets improved.
Yes, but even though it gets improved, it will take much time before
most non-official documentation and examples get fixed too.
> May be lintian's warning for something like "while\s?(\s?<>\s?)" in perl
> script explaining people that they should test the scripts is a good
> start to eliminate that in Debian?
Perhaps, with (as a Perl regexp): (foreach|while)\s*\(\s*<>\s*\)
glilypond, gperl and gpinyin use foreach (perhaps not a good idea,
but that's another matter).
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)