develooper Front page | perl.perl5.porters | Postings from April 2003

Re: [PATCH 5.8.1 @19053] Getopt::Std

Thread Previous | Thread Next
Ilya Zakharevich
April 6, 2003 12:37
Re: [PATCH 5.8.1 @19053] Getopt::Std
Message ID:
On Sun, Apr 06, 2003 at 11:47:43AM +0200, Johan Vromans wrote:
> > Tough luck.  IIUC, security considerations imply that the most we can
> > do with unprepared program is to put message on STDERR, and continue.
> s/continue/die/;

Sorry, but my argument stands as is.  Unless we know that it is save
to let the user interrupt the script (by giving it options), or change
the STDOUT output, we should not.  It may be setuid or otherwise critical.

> I know several scripts that probe a program with --version first to
> verify that a minimal version is installed, or to adjust command line
> arguments depending on the returned version information.

Currently they do not work with unprepared Getopt:: scripts.  So it is
not a security consideration that they won't work until the script is
minimally modified.  It should be enough to do one-place modification

  $Getopt::Std::HELP_VERSION_AWARE = 1;

to change the behaviour to be standard-conforming.

Currently it is clear that we can be minimally-useful (print an
appropriate message on TTY) without security concerns (since we were
doing the same otherwise too); but to be maximally useful (use STDOUT,
and exit()) we *need* at least one hint from the script.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About