Re: Potentially insecure Perl scripts
Vincent Lefevre writes ("Re: Potentially insecure Perl scripts"):
> I fear that this is not that simple: I suppose that this will break
> scripts that modify @ARGV to make <> secure. :(
The easiest way to sanitise a string to make it safe for 2-argument
open involves:
* prepending ./ if the string does not start with /
* appending \0 (a nul byte)
The result is also a valid operand for 3-argument open.
Now some people may have prepended < needlessly but (i) if you thought
about this problem this hard you would probably try to make your thing
compatible with a hypothetical fixed <> (ii) we're probably in a small
minority of a tiny minority here (iii) changing the workaround so it
works for both is easy.
So I think this was a reasonable question to ask, but the answer is
that this is very unlikely to be a significant problem.
Ian.
--
Ian Jackson <ijackson@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
Reply to: