Re: Potentially insecure Perl scripts

To: debian-devel@lists.debian.org
Subject: Re: Potentially insecure Perl scripts
From: Russ Allbery <rra@debian.org>
Date: Wed, 23 Jan 2019 09:29:55 -0800
Message-id: <[🔎] 87a7jr46zw.fsf@hope.eyrie.org>
In-reply-to: <[🔎] 20190123172304.hqfs65pn6vwgd4ld@riva.ucam.org> (Colin Watson's message of "Wed, 23 Jan 2019 17:23:04 +0000")
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 23624.35056.535579.997708@chiark.greenend.org.uk> <[🔎] 20190123154407.GA15242@cventin.lip.ens-lyon.fr> <[🔎] 9bc33706-d910-829c-3486-b8968454ad10@rsh2.donotuse.de> <[🔎] 20190123163156.qcnwyvtl5vllglx7@riva.ucam.org> <[🔎] 41f85f75-4a96-fd6e-4afe-3c66013f5819@rsh2.donotuse.de> <[🔎] 20190123172304.hqfs65pn6vwgd4ld@riva.ucam.org>

Colin Watson <cjwatson@debian.org> writes:

> Ah, I see.  I think it would have been clearer what you meant with a bit
> more context, so here it is for others:

>        If one can be sure that a particular program is a Perl script
>        expecting filenames in @ARGV, the clever programmer can write
>        something like this:

>            % program f1 "cmd1|" - f2 "cmd2|" f3 < tmpfile

>        and no matter which sort of shell it's called from, the Perl
>        program will read from the file f1, the process cmd1, standard
>        input (tmpfile in this case), the f2 file, the cmd2 command,
>        and finally the f3 file.  Pretty nifty, eh?

Note also that you can modify @ARGV in the program and then use <>, and I
know of Perl programs (I have even written Perl programs, back in the day)
that do this to introduce pipes and other constructs and then use <> to
loop through the results.

-- 
Russ Allbery (rra@debian.org)               <http://www.eyrie.org/~eagle/>

Reply to:

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Alex Mestiashvili <amestia@rsh2.donotuse.de>
- Re: Potentially insecure Perl scripts
  - From: Colin Watson <cjwatson@debian.org>
- Re: Potentially insecure Perl scripts
  - From: Alex Mestiashvili <amestia@rsh2.donotuse.de>
- Re: Potentially insecure Perl scripts
  - From: Colin Watson <cjwatson@debian.org>

Prev by Date: Re: Potentially insecure Perl scripts
Next by Date: Bug#920305: ITP: popper.js -- Javascript library to position poppers in web applications
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread