develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Alarums and Excursions (was [perl #2783] Security ofARGV?using 2-argument open)

Thread Previous | Thread Next
July 29, 2008 03:34
Re: Alarums and Excursions (was [perl #2783] Security ofARGV?using 2-argument open)
Message ID:
On Tue, Jul 29, 2008 at 10:08:50AM +0000, Ed Avis wrote:
> Abigail <abigail <at>> writes:
> >>>I've always been a bit uncomfortable with the current magical behaviour,
> >>>and that's why I tend to favor a non-compatible change.
> > - Programs that were written pre-5.12 that rely on while (<>) to be 
> >   2-arg open will silently fail to work correctly when run with a 
> >   post 5.12 perl.
> Correct.  I think they are a small number of programs relative to the
> large number that 'rely' on while (<>) to just read some files - but
> this just an educated guess, not something I can prove.
> However, the bug introduced will be a fairly benign one: 'file not
> found' when trying to use a magic filename.  Whereas the bug of
> running an external command or overwriting a file given certain
> filenames is a much more serious bug IMHO.

Indeed, it will not be completely silent, it will issue a runtime warning.
The program will still run, and even continue to run after the warning
has been issued.

> > - Programs that wouldn't use while (<>) pre-5.12 (because they might
> >   run in an environment where file names may start with '|' or '>')
> >   will use 3-arg "safe" while (<>), will be, silently, a security
> >   issue when run with a pre-5.12.
> Yes, I can see this is something to worry about.  A conscientious
> programmer could make a program that reads some files, but when
> someone else runs it on an earlier perl version it becomes a risk.
> However, if you think this is bad (and not just 'theoretical') then
> this implies believing that the status quo is also bad, since code
> with while (<>) is silently a security issue right now - unless every
> perl programmer currently using while (<>) has thought about the
> implications and carefully decided to turn on the magic behaviour,
> which seems unlikely.

Not quite. 

If security is an issue, I think the safest way is to tell people *NOW*.
Patch the documentation if you think it's not clear enough. Write articles
on Perlmonks. Send errata to book publishers. Speak at a conference.
Surely that would beat waiting for everyone to upgrade to 5.12.

> The essential issue is to separate the operator for reading files from
> the operator for doing magic.  I propose that 5.12 have two
> filehandles:
>     SAFE_ARGV    reads the files given
>     MAGIC_ARGV   might read the files, or do other fun things
> Then there are three syntactic sugar pills:
>     <>
>     <ARGV>
>     <<>>
> The choice to be made is either (A) maximum compatibility:
>     <>        means    <MAGIC_ARGV>
>     <ARGV>    means    <MAGIC_ARGV>
>     <<>>      means    <SAFE_ARGV>
> or (B) safety by default:
>     <>        means    <SAFE_ARGV>
>     <ARGV>    means    <SAFE_ARGV>
>     <<>>      means    <MAGIC_ARGV>
> >If you make "while (<<>>)" to be 3-arg open, then at least such programs
> >will fail to compile when run with a pre-5.12 perl.
> Yes.  Code using <SAFE_ARGV> explicitly would also fail to compile
> with pre-5.12.

No, it doesn't. Not even with strict. With warnings on, it's likely to
issue a warning (unless SAFE_ARGV happens to be defined), but it's not
a compile time error:

    $ perl -Mstrict -wE 'while (<SAFE_ARG>) {say} END {say "End"}'
    Name "main::SAFE_ARG" used only once: possible typo at -e line 1.
    readline() on unopened filehandle SAFE_ARG at -e line 1.

You'd be better off to make it a feature; using the feature will prevent
the code from running on older perls.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About