Web lists-archives.com

Re: Potentially insecure Perl scripts




On 2019-01-24 11:18:06 +0100, Adam Borowski wrote:
> On Thu, Jan 24, 2019 at 04:41:29AM +0000, Ben Hutchings wrote:
> > On Wed, 2019-01-23 at 09:07 -0800, Russ Allbery wrote:
> > > Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx> writes:
> > > > Apparently this has been klnown about for EIGHTEEN YEARS
> > > >   https://rt.perl.org/Public/Bug/Display.html?id=2783
> > > > and no-one has fixed it or even documented it.
> > > 
> > > It's been documented for pretty close to eighteen years too.  See
> > > perlop(1):
> > > 
> > >        The null filehandle "<>" is special: it can be used to emulate the
> > >        behavior of sed and awk, and any other Unix filter program that
> > >        takes a list of filenames, doing the same to each line of input
> > >        from all of them.  Input from "<>" comes either from standard
> > >        input, or from each file listed on the command line.
> > 
> > But this initial description is actively misleading.  It doesn't matter
> > that the giant booby-trap is documented several paragraphs further
> > down.  Why would a programmer expect that they need to read further
> > when they already understand this Unix convention?
> > 
> > There should be a big flashing WARNING or DEPRECATED right at the top
> > of the description.
> 
> Even that wouldn't be enough.  This won't help those who learned Perl
> before.

Agreed.

> I for one did most of my Perl learning ~20 years ago (so just before those
> "EIGHTEEN YEARS" you name), and I guess a good deal of Perl users are

Note that the "EIGHTEEN YEARS" was about the above initial bug report.
Concerning the documentation, perlrun(1) was improved only about
10 years ago. This is even more recent.

> similar -- those pesky annoying millenials seem to use exclusively Python,
> Perl users being correlated to low-saturation colors of beard.  Yet <>
> being broken in such a fundamental way is news to me.  And I don't quite
> see any way you could communicate that to me in a way other than a
> run-time warning -- you don't re-read docs for basics you believe you
> already know well.

As for me, even though I knew that <> did something special a few
years ago, I completely forgot it, and only now I noticed that it
could be a security issue in practice.

-- 
Vincent Lefèvre <vincent@xxxxxxxxxx> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)