Front page | perl.perl5.porters |
Postings from April 2003
On Sun, Apr 06, 2003 at 11:47:43AM +0200, Johan Vromans wrote: > > Tough luck. IIUC, security considerations imply that the most we can > > do with unprepared program is to put message on STDERR, and continue. > > s/STDERR/STDOUT/; > s/continue/die/; Sorry, but my argument stands as is. Unless we know that it is save to let the user interrupt the script (by giving it options), or change the STDOUT output, we should not. It may be setuid or otherwise critical. > I know several scripts that probe a program with --version first to > verify that a minimal version is installed, or to adjust command line > arguments depending on the returned version information. Currently they do not work with unprepared Getopt:: scripts. So it is not a security consideration that they won't work until the script is minimally modified. It should be enough to do one-place modification $Getopt::Std::HELP_VERSION_AWARE = 1; to change the behaviour to be standard-conforming. Currently it is clear that we can be minimally-useful (print an appropriate message on TTY) without security concerns (since we were doing the same otherwise too); but to be maximally useful (use STDOUT, and exit()) we *need* at least one hint from the script. IlyaThread Previous | Thread Next