Re: Potentially insecure Perl scripts
- To: Niels Thykier <niels@thykier.net>
- Cc: Ian Jackson <ijackson@chiark.greenend.org.uk>, Mark Fowler <mark@twoshortplanks.com>, perl@packages.debian.org, security@debian.org, debian-devel@lists.debian.org
- Subject: Re: Potentially insecure Perl scripts
- From: Guillem Jover <guillem@debian.org>
- Date: Thu, 24 Jan 2019 22:40:08 +0100
- Message-id: <[🔎] 20190124214008.GA23331@thunder.hadrons.org>
- Mail-followup-to: Niels Thykier <niels@thykier.net>, Ian Jackson <ijackson@chiark.greenend.org.uk>, Mark Fowler <mark@twoshortplanks.com>, perl@packages.debian.org, security@debian.org, debian-devel@lists.debian.org
- In-reply-to: <[🔎] d549a64b-813b-5462-852c-ad0c4dc462d9@thykier.net>
- References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 20190124135558.GA6524@thunder.hadrons.org> <[🔎] 23625.54560.431642.679629@chiark.greenend.org.uk> <[🔎] 23625.55120.700245.2863@chiark.greenend.org.uk> <[🔎] CAJ=1D2-yS_Bmib7ccmYeHmsRJiO4MxkNHU3CMA8Ok9Ke5Ay_Sw@mail.gmail.com> <[🔎] 23626.8998.573734.554365@chiark.greenend.org.uk> <[🔎] 23626.9360.906440.54422@chiark.greenend.org.uk> <[🔎] d549a64b-813b-5462-852c-ad0c4dc462d9@thykier.net>
On Thu, 2019-01-24 at 21:08:00 +0000, Niels Thykier wrote:
> Ian Jackson:
> > I asked codesearch about
> > while.*\<\>
> > and got 10780 results.
>
> I had a similar thought but tried a slightly more complex pattern:
>
> (while\s*|for(each)?\s*(my)?\s*\$.*)\(.*<>\s*\)
>
> The pattern also tries to cover "for" and "foreach" while also being
> more strict to prune false positives (C++ templates, Pascal and SQL trip
> naive searches for "<>").
>
> This variant still puts us in the 3000 - 4000 results, which (while
> being less than half of the original number) is far more than is likely
> to be resolved manually in a reasonable time frame.
Oh, and you both are missing <ARGV>. XD
Thanks,
Guillem
Reply to: