[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potentially insecure Perl scripts

On 2019-01-24 11:12:43 +0100, Alex Mestiashvili wrote:
> On 1/24/19 2:40 AM, Vincent Lefevre wrote:
> But I disagree that a language can be considered insecure, just because

Note: just a feature, not the language itself.

> it lets you shoot in the foot.
> The first thing I learned when doing CGI coding is to sanitize the
> input. That's the root problem in the most cases IMHO.

Not really: The point is that if there were real filenames as usual
(possibly with the safe and common exception for "-"), there would
be nothing to sanitize. And as most developers thought these were
real filenames (due to past boggus documentation), they did not try
to sanitize @ARGV. Hence the issue.

> It's also good to see that perl's documentation gets improved.

Yes, but even though it gets improved, it will take much time before
most non-official documentation and examples get fixed too.

> May be lintian's warning for something like "while\s?(\s?<>\s?)" in perl
> script explaining people that they should test the scripts is a good
> start to eliminate that in Debian?

Perhaps, with (as a Perl regexp): (foreach|while)\s*\(\s*<>\s*\)

glilypond, gperl and gpinyin use foreach (perhaps not a good idea,
but that's another matter).

Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to: