[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potentially insecure Perl scripts

Guillem Jover writes ("Re: Potentially insecure Perl scripts"):
> Part of the problem might also be that perlcritic recommands this in its
> InputOutput::ProhibitExplicitStdin policy, you can see the description
> with «perlcritic --doc InputOutput::ProhibitExplicitStdin».
> For dpkg, for example, I completely disabled that policy as bogus, when
> hooking the perlcritic checks in:
>   <https://git.dpkg.org/git/dpkg/dpkg.git/tree/t/critic/perlcriticrc#n67>

What this demonstrates (again) is that the Perl community's practice
is inconsistent with the "formal specification" (such as it is) of the
behaviour of <>.

The right answer is to fix the behaviour to be secure and sane by
default.  We can arrange for an environment variable for people who
want to turn the crazy back on.


Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to: