develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Alarums and Excursions (was [perl #2783] Security of ARGV using 2-argument open)

Thread Next
From:
Ed Avis
Date:
July 29, 2008 03:09
Subject:
Re: Alarums and Excursions (was [perl #2783] Security of ARGV using 2-argument open)
Message ID:
loom.20080729T094106-573@post.gmane.org
Abigail <abigail <at> abigail.be> writes:

>>>I've always been a bit uncomfortable with the current magical behaviour,
>>>and that's why I tend to favor a non-compatible change.

> - Programs that were written pre-5.12 that rely on while (<>) to be 
>   2-arg open will silently fail to work correctly when run with a 
>   post 5.12 perl.

Correct.  I think they are a small number of programs relative to the
large number that 'rely' on while (<>) to just read some files - but
this just an educated guess, not something I can prove.

However, the bug introduced will be a fairly benign one: 'file not
found' when trying to use a magic filename.  Whereas the bug of
running an external command or overwriting a file given certain
filenames is a much more serious bug IMHO.

> - Programs that wouldn't use while (<>) pre-5.12 (because they might
>   run in an environment where file names may start with '|' or '>')
>   will use 3-arg "safe" while (<>), will be, silently, a security
>   issue when run with a pre-5.12.

Yes, I can see this is something to worry about.  A conscientious
programmer could make a program that reads some files, but when
someone else runs it on an earlier perl version it becomes a risk.

However, if you think this is bad (and not just 'theoretical') then
this implies believing that the status quo is also bad, since code
with while (<>) is silently a security issue right now - unless every
perl programmer currently using while (<>) has thought about the
implications and carefully decided to turn on the magic behaviour,
which seems unlikely.

The essential issue is to separate the operator for reading files from
the operator for doing magic.  I propose that 5.12 have two
filehandles:

    SAFE_ARGV    reads the files given
    MAGIC_ARGV   might read the files, or do other fun things

Then there are three syntactic sugar pills:

    <>
    <ARGV>
    <<>>

The choice to be made is either (A) maximum compatibility:

    <>        means    <MAGIC_ARGV>
    <ARGV>    means    <MAGIC_ARGV>
    <<>>      means    <SAFE_ARGV>

or (B) safety by default:

    <>        means    <SAFE_ARGV>
    <ARGV>    means    <SAFE_ARGV>
    <<>>      means    <MAGIC_ARGV>

>If you make "while (<<>>)" to be 3-arg open, then at least such programs
>will fail to compile when run with a pre-5.12 perl.

Yes.  Code using <SAFE_ARGV> explicitly would also fail to compile
with pre-5.12.  Suppose there are three kinds of programmer:

1.  A programmer who wants to read some files, who knows about the <>
controversy, and wishes to be sure his code is always safe (even at
the expense of not running on older perls).

2.  A programmer who knows about magic ARGV processing and wants to use it.

3.  A programmer who is not aware of the pitfalls but just wanted to read files.

Here is the code written by each programmer in scenario (A) or (B):

     1                      2                       3
A    <<>> or <SAFE_ARGV>    <> or <MAGIC_ARGV>      <>
B    <SAFE_ARGV>            <<>> or <MAGIC_ARGV>    <>

Under both your proposal (A) and mine (B) the paranoid programmer
would be able to write code that fails to run under old perls.  And
under both proposals the programmer who wants magic would be able to
get it.  The only real difference is what happens to programmer 3.  In
scenario A his or her code remains unsafe under both old and new
perls.  In scenario B the code is unsafe when run under old perls but
correct for 5.12.

I agree it is not ideal to have a caveat for <> saying 'this will do
potentially dangerous things under older perl versions, so watch out'.
But that is a big improvement on having it do dangerous things under
the version you are running now.

-- 
Ed Avis <eda@waniasset.com>


Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About