Re: Potentially insecure Perl scripts

To: Ian Jackson <ijackson@chiark.greenend.org.uk>, Mark Fowler <mark@twoshortplanks.com>, perl@packages.debian.org, security@debian.org, debian-devel@lists.debian.org, Guillem Jover <guillem@debian.org>
Subject: Re: Potentially insecure Perl scripts
From: Niels Thykier <niels@thykier.net>
Date: Thu, 24 Jan 2019 21:08:00 +0000
Message-id: <[🔎] d549a64b-813b-5462-852c-ad0c4dc462d9@thykier.net>
In-reply-to: <[🔎] 23626.9360.906440.54422@chiark.greenend.org.uk>
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 20190124135558.GA6524@thunder.hadrons.org> <[🔎] 23625.54560.431642.679629@chiark.greenend.org.uk> <[🔎] 23625.55120.700245.2863@chiark.greenend.org.uk> <[🔎] CAJ=1D2-yS_Bmib7ccmYeHmsRJiO4MxkNHU3CMA8Ok9Ke5Ay_Sw@mail.gmail.com> <[🔎] 23626.8998.573734.554365@chiark.greenend.org.uk> <[🔎] 23626.9360.906440.54422@chiark.greenend.org.uk>

Ian Jackson:
> Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
>> Even if we care only about scripts which are part of Debian, rather
>> than scripts which people merely expect to run on Debian (and where
>> they trust Debian to not blow their leg off), there will probably be
>> many thousands.
> 
> I asked codesearch about
>    while.*\<\>
> and got 10780 results.
> 

Hi,

I had a similar thought but tried a slightly more complex pattern:

    (while\s*|for(each)?\s*(my)?\s*\$.*)\(.*<>\s*\)

The pattern also tries to cover "for" and "foreach" while also being
more strict to prune false positives (C++ templates, Pascal and SQL trip
naive searches for "<>").

This variant still puts us in the 3000 - 4000 results, which (while
being less than half of the original number) is far more than is likely
to be resolved manually in a reasonable time frame.

Thanks,
~Niels

Reply to:

Follow-Ups:
- Re: Potentially insecure Perl scripts
  - From: Guillem Jover <guillem@debian.org>

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Guillem Jover <guillem@debian.org>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Mark Fowler <mark@twoshortplanks.com>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Re: Potentially insecure Perl scripts
Next by Date: Re: Potentially insecure Perl scripts
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread