develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Creative and *routine* use of so-called "magic" ARGV (was [perl#2783] Security of ARGV using 2-argument open)

Thread Previous | Thread Next
Roland Giersig
July 30, 2008 05:50
Re: Creative and *routine* use of so-called "magic" ARGV (was [perl#2783] Security of ARGV using 2-argument open)
Message ID:
Rafael Garcia-Suarez wrote:
> 2008/7/29 Aristotle Pagaltzis <>:
>> We can discourage the unconsidered use of magic ARGV with a
>> warning. This would be the exact same strategy that C compilers
>> followed WRT `gets`, which it seems to me worked well for C. It
>> also seems to me that the people who are certain enough that they
>> want this feature are also people who won't shy away from muting
>> a warning.
> Recapitulating what was proposed by you, we are getting to :
> * not changing <>
> * introducing new, safer <<>> (or «» if I may joke about the
> utf8-cleanliness of the tokeniser)
> * a feature or a pragma then becomes not useful
> * a way to extend ARGV's magic would be nice, but needs not to be in the core

Sounds good, but leaves the issue of fixing <> (which is important 
IMHO). How about this:

in v5.12:

* add the '<<>>' operator as the now-standard magic 2-arg-open (clone it 
from '<>')

* issue a warning whenever '<>' invokes its magic, telling about the 
coming change, i.e.

  "You are using the magical behaviour of the <> operator with regards 
to command pipes| or file redirections in ARGV. Please note that <> will 
lose its magic in the next version. To keep the magical behaviour, use 
the new <<>> operator instead."

* add a pragma, e.g. "use feature safe_diamond" or equivalent to already 
switch '<>' over to use the 3-args-open. That way developers can already 
use the new behaviour, avoiding those dreaded version-checks.

* "use v5.x" (for x < 12) of course should switch magical behaviour back 
on for '<>'.

in v5.14:

* change the default behaviour of '<>' to safe 3-args-open.

* make the pragma a no-op.

This approach means that people have plenty of time to adapt their apps 
if they really rely on magical behaviour by either changing '<>' to 
'<<>>' or adding 'use v5.x'. If they do nothing, their apps just become 
a little bit safer.

BTW: -n and -p should either keep their magical behaviour for one-liners 
or -N and -P should be added.

As a side note to the backward-compatibility-police: IMHO anybody who 
upgrades perl to a new major version number, NOT checking the change 
notes, NOT adding "use v5.x" and still expecting that everything works 
exactly as before in his legacy apps just gets what he deserves...

Coming to think of, this argument is so strong that the 
two-step-approach now seems overkill to me. Just making sure that "use 
5.x" switches the magic back on for '<>' should be sufficient.


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About