develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Creative and *routine* use of so-called "magic" ARGV (was[perl #2783] Security of ARGV using 2-argument open)

Thread Previous | Thread Next
Aristotle Pagaltzis
July 29, 2008 11:59
Re: Creative and *routine* use of so-called "magic" ARGV (was[perl #2783] Security of ARGV using 2-argument open)
Message ID:
Hi Tom,

* Tom Christiansen <> [2008-07-29 05:40]:
> The thought of updating triple-digit numbers of my happily
> running scripts that certain individuals would just as well see
> broken is really beyond the conscionable--or its promulgators,
> conscientiousness.

do these scripts enable warnings?

* Abigail <> [2008-07-28 21:30]:
>  - Programs that wouldn't use while (<>) pre-5.12 (because they
>    might run in an environment where file names may start with
>    '|' or '>') will use 3-arg "safe" while (<>), will be,
>    silently, a security issue when run with a pre-5.12.
> If you make "while (<<>>)" to be 3-arg open, then at least such
> programs will fail to compile when run with a pre-5.12 perl.

Exactly. I want to highlight this again: in my opinion, having
code that is safe under 5.12 (or 5.10.1 or whenever) not silently
become unsafe under 5.10.0 or earlier is an incontrovertible
argument for introducing a new safe diamond-like operator as
incompatible syntax.

We can discourage the unconsidered use of magic ARGV with a
warning. This would be the exact same strategy that C compilers
followed WRT `gets`, which it seems to me worked well for C. It
also seems to me that the people who are certain enough that they
want this feature are also people who won’t shy away from muting
a warning.

Aristotle Pagaltzis // <>

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About