[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potentially insecure Perl scripts


On Wed, 2019-01-23 at 14:05:54 +0100, Vincent Lefevre wrote:
> I've just reported
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.

Part of the problem might also be that perlcritic recommands this in its
InputOutput::ProhibitExplicitStdin policy, you can see the description
with «perlcritic --doc InputOutput::ProhibitExplicitStdin».

For dpkg, for example, I completely disabled that policy as bogus, when
hooking the perlcritic checks in:



Reply to: