[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Potentially insecure Perl scripts

Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> Even if we care only about scripts which are part of Debian, rather
> than scripts which people merely expect to run on Debian (and where
> they trust Debian to not blow their leg off), there will probably be
> many thousands.

I asked codesearch about
and got 10780 results.

  - does not include situations where -p and -e are wrong
  - does not include other dangerous uses of <>
  - it does probably include some scripts which will never
     see potentially hostile filenames
  - will include some matches in things other than Perl but
     probably not many

I think this does mean that *at least* 10780 locations in Debian would
need to be looked at by a human being to see what to do about them.

I think, effectively, you are proposing a >10780-bug MBF ?


Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to: