Re: Potentially insecure Perl scripts

To: Guillem Jover <guillem@debian.org>
Cc: debian-devel@lists.debian.org
Subject: Re: Potentially insecure Perl scripts
From: Ian Jackson <ijackson@chiark.greenend.org.uk>
Date: Thu, 24 Jan 2019 15:09:20 +0000
Message-id: <[🔎] 23625.54560.431642.679629@chiark.greenend.org.uk>
In-reply-to: <[🔎] 20190124135558.GA6524@thunder.hadrons.org>
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 20190124135558.GA6524@thunder.hadrons.org>

Guillem Jover writes ("Re: Potentially insecure Perl scripts"):
> Part of the problem might also be that perlcritic recommands this in its
> InputOutput::ProhibitExplicitStdin policy, you can see the description
> with «perlcritic --doc InputOutput::ProhibitExplicitStdin».
> 
> For dpkg, for example, I completely disabled that policy as bogus, when
> hooking the perlcritic checks in:
>   <https://git.dpkg.org/git/dpkg/dpkg.git/tree/t/critic/perlcriticrc#n67>

What this demonstrates (again) is that the Perl community's practice
is inconsistent with the "formal specification" (such as it is) of the
behaviour of <>.

The right answer is to fix the behaviour to be secure and sane by
default.  We can arrange for an environment variable for people who
want to turn the crazy back on.

Ian.

-- 
Ian Jackson <ijackson@chiark.greenend.org.uk>   These opinions are my own.

If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.

Reply to:

Follow-Ups:
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Guillem Jover <guillem@debian.org>

Prev by Date: Re: Potentially insecure Perl scripts
Next by Date: Re: Potentially insecure Perl scripts
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread