develooper Front page | perl.perl5.porters | Postings from April 2003

Re: [PATCH 5.8.1 @19053] Getopt::Std

Thread Previous | Thread Next
From:
Nicholas Clark
Date:
April 6, 2003 12:59
Subject:
Re: [PATCH 5.8.1 @19053] Getopt::Std
Message ID:
20030406195614.GC276@Bagpuss.unfortu.net
On Sun, Apr 06, 2003 at 12:37:24PM -0700, Ilya Zakharevich wrote:
> On Sun, Apr 06, 2003 at 11:47:43AM +0200, Johan Vromans wrote:
> > > Tough luck.  IIUC, security considerations imply that the most we can
> > > do with unprepared program is to put message on STDERR, and continue.
> > 
> > s/STDERR/STDOUT/;
> > s/continue/die/;
> 
> Sorry, but my argument stands as is.  Unless we know that it is save
> to let the user interrupt the script (by giving it options), or change
> the STDOUT output, we should not.  It may be setuid or otherwise critical.

But if the user can give extra options to a script, potentially they can
already stop it. For example, if I add an option --non-existent-option

../../miniperl -I../../lib bin/enc2xs --non-existent-option -Q -O -o def_t.c -f def_t.fnm
Unknown option: -
Reading on-existent-option (iso-8859-1)
Reading on-existent-option (ascii)
Reading on-existent-option (ascii-ctrl)
Reading on-existent-option (null)
Writing compiled form
Use of uninitialized value in substr at bin/enc2xs line 755, <E> line 458.
Illegal division by zero at bin/enc2xs line 334, <E> line 458.


this program happens to crash. Arguably that is bad design on this program.
But if you're able to add options to an existing script, you already have
considerable control. If you're allowed to add new command line arguments
even more so. If your arguments are via a shell command line, `rm -rf /`

You appear to be arguing that we mustn't add options to stop programs for
the specific case of protecting programs which untrusted users are allowed
to add arbitrary options to, where said programs are carefully designed so
that no combination of options that can be added materially effect the
intent of their outcome.

I'm arguing that the set of such programs running is such situations is
very small. No sane sysadmin would do this.

If we're so worried about critical scripts why are we changing the interface
at all?

Nicholas Clark

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About