Hi,
> > open(PIPE, "-|") || exec '@globalpath@', '--result=ctags-xid',
> > $flags, $pattern;
>
> Is it not the case that this last line forks and execs global, passing
> $pattern as a parameter to global's -e option, and that $pattern is
> untrusted input?
Yes. $patern is untrusted input.
> Looking at global.c it seems that before it is passed on to popen, it is
> run through quote_shell() which quotes any single-quotes in the string.
>
> That seems to deal with Ron's assertion that it's exploitable, although
> I have a slight feeling of impending doom about relying upon just this.
I agree.
I uses popen() in global.c to call idutils(1). I would like to rewrite it
in near future.
> Would it not be wise to make the network-facing perl code runnable with
> strict and taint turned on, if only to stop people reacting with horror
> at first glance?
>
> I presume patches would be welcome?
Of course! Thank you.
Regargs,
Shigio