Re: Potentially insecure Perl scripts
On Wed, Jan 23, 2019 at 04:44:07PM +0100, Vincent Lefevre wrote:
> On 2019-01-23 15:32:00 +0000, Ian Jackson wrote:
> > This is completely mad and IMO the bug is in perl, not in all of the
> > millions of perl scripts that used <> thinking it was a sensible thing
> > to write.
>
> I agree that it would be better to drop this "feature" of Perl.
> It is probably never used, and probably useless (I would rather
> use the features from the shell if I need a pipe).
Almost unbelievably the rejected upstream bug about this
(https://rt.perl.org/Public/Bug/Display.html?id=2783) had people
claiming not only that it was a feature but that it was used in
tutorials and working code.
-T does seem to fix this for one-liners, although the error message is
less than obvious at first glance:
$ perl -Tpe 's/^/got /' "whoami|"
Insecure $ENV{PATH} while running with -T switch.
--
Colin Watson [cjwatson@debian.org]
Reply to: