Re: Potentially insecure Perl scripts
Russ Allbery writes:
> Ben Hutchings writes:
>> People have said this about ASLR, protected symlinks, and many other
>> kinds of security hardening changes. We made them anyway and took the
>> temporary pain for a long-term security gain.
>
> Well, Perl has a deprecation mechanism with warnings and so forth,
> although I don't think Perl has ever actively broken a feature outside of
> "use <version>" with a later version, except for features marked as
> experimental. But I suppose it's possible.
'.' was eventually removed from @INC by default. It also wasn't seen as
a security problem when I reported it as such (or not worth fixing at
the time), but only years later when someone else reported it again. So
maybe awareness changed a bit.
But "<>" isn't the only problem, there are way too many uses of the
two-argument form of Perl's "open" too...
Ansgar
Reply to: