Front page | perl.perl5.porters |
Postings from March 2000
The following lines are bugs (but are not all of them)
139 open(TEST,"<$file");
188 opendir DIR, "@p";
251 opendir(D,$dir);
281 open(OUT,">>$tmp") or warn("Can't open $tmp: $!"), return;
283 close OUT;
288 my $rslt = `$cmd`;
291 open(TMP,">>$tmp") or warn("Can't open $tmp: $!"), return;
297 open(OUT,">>$tmp") or warn("Can't open $tmp: $!"), return;
306 close OUT;
456 else {
457 $tmp = "/tmp/perldoc1.$$";
458 $buffer = "/tmp/perldoc1.b$$";
459 }
What's going on here? This sad story just goes on and on.
Do people really not realize how important testing the return values
of syscalls is? Why are we shipping this? Even worse, don't they
realize why all this evil code in all these programs lets their
password file get scribbled on?
At this point, the only recourse a sysadmin has is to remove virtually
all the Perl utilities other than perl that is--from their system.
It's not because they're pathetically sloppy, though that they are.
It's because they all constitute a clear threat to the account of
anyone who ever runs them, or to the whole system should root ever
run them. Anyone who's ever run perlbug or perldoc or perlcc or
s2p or any of the rest of the them on a multiuser system is playing
Russian roulette. And if you've ever done those things as root,
you're trying to take everyone else with you.
I'd hate for www.perl.com to have to start posting security alerts
on the front page, but these are *not* non-serious issues. Perl needs
to be safe to install on a machine that isn't a single-user toybox.
Right now, it isn't.
--tom