Re: Potentially insecure Perl scripts

[Alex Mestiashvili <amestia@rsh2.donotuse.de>]

On 1/24/19 2:40 AM, Vincent Lefevre wrote:
> On 2019-01-23 17:23:10 +0100, Alex Mestiashvili wrote:
>> On 1/23/19 4:44 PM, Vincent Lefevre wrote:
>>> On 2019-01-23 15:32:00 +0000, Ian Jackson wrote:
>>>> This is completely mad and IMO the bug is in perl, not in all of the
>>>> millions of perl scripts that used <> thinking it was a sensible thing
>>>> to write.
>>>
>>> I agree that it would be better to drop this "feature" of Perl.
>>> It is probably never used, and probably useless (I would rather
>>> use the features from the shell if I need a pipe).
>>
>> Perl's open is well documented.
> 
> What wasn't clear was not about open, but the fact that <> uses the
> 2-arg open in a raw way. FYI, I learnt Perl in 1994 or early 1995,
> just after Perl 5.000 was released, and at that time, I'm not sure
> that <> was properly documented. More importantly, security was not
> really a consideration (not much except file permissions).
> 
> The fact that the perlsec(1) man page doesn't mention the issue with
> the null filehandle doesn't help either.
> 
> One also has (had) plenty of misleading documentation, starting with
> the perlrun(1) man page:
> 
>        -n   causes Perl to assume the following loop around your
>             program, which makes it iterate over filename arguments
>             somewhat like sed -n or awk:
> 
>               LINE:
>                 while (<>) {
>                     ...             # your program goes here
>                 }
> 
> "like sed -n and awk". Really?
> 
> Now, this man page also says:
> 
>             Also note that "<>" passes command line arguments to
>             "open" in perlfunc, which doesn't necessarily interpret
>             them as file names.  See  perlop for possible security
>             implications.
> 
> But in 2008, it was still not there. Thus programs written before 2008
> or by developers who started to learn Perl before 2008 can easily be
> affected by this issue.

Thank you for bringing this issue up.
Now, when I grepped through my /usr/bin and found a bunch of old scripts
affected by this I think you are totally right.

But I disagree that a language can be considered insecure, just because
it lets you shoot in the foot.
The first thing I learned when doing CGI coding is to sanitize the
input. That's the root problem in the most cases IMHO.
It's also good to see that perl's documentation gets improved.

> 
> BTW, I've just seen that I already reported a documentation bug in
> the past:
> 
>   https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=592727
> 
> This was about the behavior, which is not specified, e.g. on
> the argument '>file'.
> 
>> Quoting the perlipc:
>>
>> "it's much more efficient to process the file one line or record at a
>> time because then you don't have to read the whole thing into memory at
>> once."
> 
> Well, with a pipe used from the shell (either with "|" or with
> process substitution) instead of a special Perl syntax, the
> behavior is the same.
> 

This feature is heavily used. Just grepping over my /usr/bin found 31
scripts using this construct and a few of randomly picked up scripts are
affected...

May be lintian's warning for something like "while\s?(\s?<>\s?)" in perl
script explaining people that they should test the scripts is a good
start to eliminate that in Debian?