Re: Potentially insecure Perl scripts

To: Ian Jackson <ijackson@chiark.greenend.org.uk>
Cc: perl@packages.debian.org, security@debian.org, Guillem Jover <guillem@debian.org>, debian-devel@lists.debian.org
Subject: Re: Potentially insecure Perl scripts
From: Vincent Lefevre <vincent@vinc17.net>
Date: Fri, 25 Jan 2019 00:41:20 +0100
Message-id: <[🔎] 20190124234120.GA26896@zira.vinc17.org>
Mail-followup-to: Ian Jackson <ijackson@chiark.greenend.org.uk>, perl@packages.debian.org, security@debian.org, Guillem Jover <guillem@debian.org>, debian-devel@lists.debian.org
In-reply-to: <[🔎] 23625.55120.700245.2863@chiark.greenend.org.uk>
References: <[🔎] 20190123130554.GA23813@cventin.lip.ens-lyon.fr> <[🔎] 20190124135558.GA6524@thunder.hadrons.org> <[🔎] 23625.54560.431642.679629@chiark.greenend.org.uk> <[🔎] 23625.55120.700245.2863@chiark.greenend.org.uk>

On 2019-01-24 15:18:40 +0000, Ian Jackson wrote:
> Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> > The right answer is to fix the behaviour to be secure and sane by
> > default.  We can arrange for an environment variable for people who
> > want to turn the crazy back on.
> 
> To the Debian Perl maintainers: if I make a patch to make
>   -p -n <>
> use the 3-argument form of open (or equivalent), will you apply it ?

I fear that this is not that simple: I suppose that this will break
scripts that modify @ARGV to make <> secure. :(

Now, perhaps the number of such scripts is close to 0. I don't know.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Reply to:

Follow-Ups:
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

References:
- Potentially insecure Perl scripts
  - From: Vincent Lefevre <vincent@vinc17.net>
- Re: Potentially insecure Perl scripts
  - From: Guillem Jover <guillem@debian.org>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>
- Re: Potentially insecure Perl scripts
  - From: Ian Jackson <ijackson@chiark.greenend.org.uk>

Prev by Date: Bug#920389: ITP: golang-github-intel-tfortools -- template scripting support to go programs
Next by Date: Bug#920392: ITP: rusty-tags -- generate tags for source code navigation for a cargo project
Previous by thread: Re: Potentially insecure Perl scripts
Next by thread: Re: Potentially insecure Perl scripts
Index(es):
- Date
- Thread