Re: flashplugin-nonfree get-upstream-version.pl security concern

To: debian-security@lists.debian.org
Subject: Re: flashplugin-nonfree get-upstream-version.pl security concern
From: Ansgar Burchardt <ansgar@debian.org>
Date: Thu, 13 Dec 2012 17:39:09 +0100
Message-id: <[🔎] 87k3slhpoy.fsf@eisei.43-1.org>
In-reply-to: <[🔎] 50C9F69E.3040004@mikemestnik.net> (Mike Mestnik's message of "Thu, 13 Dec 2012 09:39:10 -0600")
References: <[🔎] 50C8C45F.1050404@riseup.net> <[🔎] 20121212191044.GD29879@seestieto.com> <[🔎] 50C9F69E.3040004@mikemestnik.net>

Mike Mestnik <cheako+debian-security@mikemestnik.net> writes:
> The link($1) can't contain a ", but a few others(I.E ') should be added
> to this list and use...
> open INPUT, "wget --user-agent=\"$user_agent\" -qO - \"$url\" |" or die;
> or
> open INPUT, "wget --user-agent='$user_agent' -qO - '$url' |" or die;

Using the three-or-more argument form of open is better:

  open INPUT, "-|", "wget", "--user-agent=$user_agent", "-qO", "-", $url
      or die;

This avoids using the shell (unless there's only one argument, see
perldoc -f open for that case).  Even in this case one should make sure
that $url is sane and doesn't for example start with a dash like
options.

It's also possible to use (for example) LWP::UserAgent here.

Ansgar

Reply to:

References:
- flashplugin-nonfree get-upstream-version.pl security concern
  - From: adrelanos <adrelanos@riseup.net>
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Henrik Ahlgren <pablo@seestieto.com>
- Re: flashplugin-nonfree get-upstream-version.pl security concern
  - From: Mike Mestnik <cheako+debian-security@mikemestnik.net>

Prev by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by Date: Re: flashplugin-nonfree get-upstream-version.pl security concern
Previous by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Next by thread: Re: flashplugin-nonfree get-upstream-version.pl security concern
Index(es):
- Date
- Thread