Front page | perl.perl5.porters |
Postings from July 2008
2008/7/29 Glenn Linderman <perl@nevcal.com>:
> On approximately 7/28/2008 11:38 AM, came the following characters from the
> keyboard of Mark Dominus:
>> For example, I have a program that generates reports from my web server
>> logs which begins:
>>
>> #!/usr/bin/perl -lan
>> BEGIN { for (@ARGV) {
>> if (/\.gz$/) {
>> $_ = "gzip -dc $_ |";
>> }
>> }
>> }
>> ...
I've written code like that too...
> Nary a "while(<>)" in sight in that code snippet. I guess you are
> preprocessing real file names in preparation for a later "while(<>)"?
No, Mark is using -n. As Ed was saying before, -n and -p are magic
enough to use the unsafe form by default.
> Have you shared that code with anyone? If so, how do you protect them from
> overwriting their file "boo.gz" when they also have a file ">boo.gz" in the
> same directory, and invoke your program with
>
> "mark's script" *
>
> I'm sure it is quite safe in your web server environment, which doesn't have
> such names, and is secure from having such names created therein, but you
> shouldn't assume your customers are so lucky.
>
> So programs such as your sample snippet would need an extra line
>
> use magic_argv 'pipes'; # or something similar
>
> to continue working if the change is made in the scope of the "while(<>)"
> statement.
or replace while(<>) by while(<<>>). Both of which are
backwards-uncompatible, unless some magic_argv.pm is put on CPAN, that
does nothing on 5.10.x and below.
--
Backwards compatibility is often incompatible with security.
-- Bruce Schneier,
http://www.schneier.com/blog/archives/2006/08/technological_a_1.html
Thread Previous
|
Thread Next