Web lists-archives.com

Re: Potentially insecure Perl scripts




Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> Even if we care only about scripts which are part of Debian, rather
> than scripts which people merely expect to run on Debian (and where
> they trust Debian to not blow their leg off), there will probably be
> many thousands.

I asked codesearch about
   while.*\<\>
and got 10780 results.

That
  - does not include situations where -p and -e are wrong
  - does not include other dangerous uses of <>
but
  - it does probably include some scripts which will never
     see potentially hostile filenames
  - will include some matches in things other than Perl but
     probably not many

I think this does mean that *at least* 10780 locations in Debian would
need to be looked at by a human being to see what to do about them.

I think, effectively, you are proposing a >10780-bug MBF ?

Ian.

-- 
Ian Jackson <ijackson@xxxxxxxxxxxxxxxxxxxxxx>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.