Re: Potentially insecure Perl scripts
Vincent Lefevre writes ("Potentially insecure Perl scripts"):
> I've just reported
> https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> against gropdf (also reported upstream to bug-groff), about the use of
> the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> command execution, e.g. when using wildcards.
>
> I've noticed that some other Perl scripts also use this filehandle and
> might be affected by the same issue.
OMFG. This is worse than shellshock.
$ perl -pe 's/^/got /' "whoami|"
got iwj
$
This is completely mad and IMO the bug is in perl, not in all of the
millions of perl scripts that used <> thinking it was a sensible thing
to write.
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: