Re: Potentially insecure Perl scripts

To: debian-devel@lists.debian.org
Subject: Re: Potentially insecure Perl scripts
From: Vincent Lefevre <vincent@vinc17.net>
Date: Thu, 24 Jan 2019 02:40:25 +0100
Message-id: <[🔎] 20190124014025.GA16058@zira.vinc17.org>
Mail-followup-to: debian-devel@lists.debian.org
In-reply-to: <[🔎] 9bc33706-d910-829c-3486-b8968454ad10@rsh2.donotuse.de>
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 23624.35056.535579.997708@chiark.greenend.org.uk> <[🔎] 20190123154407.GA15242@cventin.lip.ens-lyon.fr> <[🔎] 9bc33706-d910-829c-3486-b8968454ad10@rsh2.donotuse.de>

On 2019-01-23 17:23:10 +0100, Alex Mestiashvili wrote:
> On 1/23/19 4:44 PM, Vincent Lefevre wrote:
> > On 2019-01-23 15:32:00 +0000, Ian Jackson wrote:
> >> This is completely mad and IMO the bug is in perl, not in all of the
> >> millions of perl scripts that used <> thinking it was a sensible thing
> >> to write.
> > 
> > I agree that it would be better to drop this "feature" of Perl.
> > It is probably never used, and probably useless (I would rather
> > use the features from the shell if I need a pipe).
> 
> Perl's open is well documented.

What wasn't clear was not about open, but the fact that <> uses the
2-arg open in a raw way. FYI, I learnt Perl in 1994 or early 1995,
just after Perl 5.000 was released, and at that time, I'm not sure
that <> was properly documented. More importantly, security was not
really a consideration (not much except file permissions).

The fact that the perlsec(1) man page doesn't mention the issue with
the null filehandle doesn't help either.

One also has (had) plenty of misleading documentation, starting with
the perlrun(1) man page:

       -n   causes Perl to assume the following loop around your
            program, which makes it iterate over filename arguments
            somewhat like sed -n or awk:

              LINE:
                while (<>) {
                    ...             # your program goes here
                }

"like sed -n and awk". Really?

Now, this man page also says:

            Also note that "<>" passes command line arguments to
            "open" in perlfunc, which doesn't necessarily interpret
            them as file names.  See  perlop for possible security
            implications.

But in 2008, it was still not there. Thus programs written before 2008
or by developers who started to learn Perl before 2008 can easily be
affected by this issue.

BTW, I've just seen that I already reported a documentation bug in
the past:

  https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592727

This was about the behavior, which is not specified, e.g. on
the argument '>file'.

> Quoting the perlipc:
> 
> "it's much more efficient to process the file one line or record at a
> time because then you don't have to read the whole thing into memory at
> once."

Well, with a pipe used from the shell (either with "|" or with
process substitution) instead of a special Perl syntax, the
behavior is the same.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Potentially insecure Perl scripts
  - From: Alex Mestiashvili <amestia@rsh2.donotuse.de>

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Alex Mestiashvili <amestia@rsh2.donotuse.de>

Prev by Date: Bug#920311: ITP: connman-gtk -- fully-featured GUI for ConnMan with systray support
Next by Date: Re: Potentially insecure Perl scripts
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread