[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potentially insecure Perl scripts

On 1/23/19 2:05 PM, Vincent Lefevre wrote:
> Hi,
> I've just reported
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.


while gropdf lacks input sanitizationm which is definitely bad, the use
of diamond operator is totally fine and doesn't make scripts insecure.

One can run perl in tainted mode ( perl -T) to detect stuff like that.


Reply to: