Front page | perl.perl5.porters |
Postings from July 2011
On Tue, 19 Jul 2011, David Golden wrote: > On Tue, Jul 19, 2011 at 10:39 PM, Aristotle Pagaltzis <pagaltzis@gmx.de> wrote: >> * David Golden <xdaveg@gmail.com> [2011-07-18 22:40]: >>> As Tom points out, there is no problem with 2-arg open if *you* >>> control all the arguments and know what you're doing. The >>> rationale for 3-arg open is (IMO) that it's less error-prone. >> >> 2-arg open is also useful when you don’t *want* to control all >> inputs, such as giving a caller the option to ask for transparent >> decompression by piping from zcat instead of reading from a file. > > Yes and that's exactly the sort of security hole that teaching 3-arg > open is intended to avoid. Sure, you *can* let users open arbitrary > shell programs, just like you *can* execute arbitrary code in eval(), > but that's not the sort of thing that should be in a tutorial, except > to point out "here is a huge security hole -- use with caution and > only with trusted users". Your "sysadmin stratum" probably falls into > the "trusted user" camp, which is why it can be an appropriate > technique for that group.[1] My only regret about 3-arg open is it makes me re-add logic to handle "-" for stdin/stdout and I'm sure a number of programs would greatly benefit from having that work automatically. -- George GreerThread Previous | Thread Next