develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Creative and *routine* use of so-called "magic" ARGV (was [perl #2783] Security of ARGV using 2-argument open)

Thread Previous | Thread Next
Rafael Garcia-Suarez
July 29, 2008 13:42
Re: Creative and *routine* use of so-called "magic" ARGV (was [perl #2783] Security of ARGV using 2-argument open)
Message ID:
2008/7/29 Aristotle Pagaltzis <>:
> * Abigail <> [2008-07-28 21:30]:
>>  - Programs that wouldn't use while (<>) pre-5.12 (because they
>>    might run in an environment where file names may start with
>>    '|' or '>') will use 3-arg "safe" while (<>), will be,
>>    silently, a security issue when run with a pre-5.12.
>> If you make "while (<<>>)" to be 3-arg open, then at least such
>> programs will fail to compile when run with a pre-5.12 perl.
> Exactly. I want to highlight this again: in my opinion, having
> code that is safe under 5.12 (or 5.10.1 or whenever) not silently
> become unsafe under 5.10.0 or earlier is an incontrovertible
> argument for introducing a new safe diamond-like operator as
> incompatible syntax.

If I parse you well, that's indeed a compelling argument. Finding a
balance between security and compatibility isn't very easy.

> We can discourage the unconsidered use of magic ARGV with a
> warning. This would be the exact same strategy that C compilers
> followed WRT `gets`, which it seems to me worked well for C. It
> also seems to me that the people who are certain enough that they
> want this feature are also people who won't shy away from muting
> a warning.

Recapitulating what was proposed by you, we are getting to :
* not changing <>
* introducing new, safer <<>> (or «» if I may joke about the
utf8-cleanliness of the tokeniser)
* a feature or a pragma then becomes not useful
* a way to extend ARGV's magic would be nice, but needs not to be in the core

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About