Web lists-archives.com

Re: Potentially insecure Perl scripts




On Thu, Jan 24, 2019 at 02:49:29PM -0500, Mark Fowler wrote:
> On Thu, Jan 24, 2019 at 10:18 AM Ian Jackson <
> ijackson@xxxxxxxxxxxxxxxxxxxxxx> wrote:
> > To the Debian Perl maintainers: if I make a patch to make
> >   -p -n <>
> > use the 3-argument form of open (or equivalent), will you apply it ?
> >
> > To the Debian security team: would you ship it in a security update ?
> 
> Wouldn't a less drastic approach be to change the vulnerable scripts to use
> <<>> instead of <>?

Do you have a proposal for enumerating all the vulnerable scripts?

Also, <<>> doesn't work if your script expects to continue to support
"-" to mean stdin, because it turns that off along with all the rather
more dangerous magic.  In the case of groff, "-" was specifically
documented in the manual pages of the relevant programs; so I made
essentially the following transformation:

  while (<>) {
    ...
  }

... into:

  unshift @ARGV, '-' unless @ARGV;
  foreach my $filename (@ARGV) {
    my $input;
    if ($filename eq '-') {
      $input = \*STDIN;
    } elsif (not open $input, '<', $filename) {
      warn $!;
      next;
    }
    while (<$input>) {
      ...
    }
  }

A bit tedious, but seems workable.

-- 
Colin Watson                                       [cjwatson@xxxxxxxxxx]