develooper Front page | perl.perl5.porters | Postings from July 2008

Re: Creative and *routine* use of so-called "magic" ARGV (was[perl #2783] Security of ARGV using 2-argument open)

Thread Previous | Thread Next
July 30, 2008 09:51
Re: Creative and *routine* use of so-called "magic" ARGV (was[perl #2783] Security of ARGV using 2-argument open)
Message ID:
On Wed, Jul 30, 2008 at 05:01:38PM +0200, Roland Giersig wrote:
> Abigail wrote:
>  > Eh, the argument Aristotle and I used, and Rafael agrees with isn't that
>> programs will break with newer versions of Perl, it's that programs
>> written to be safe in 5.12 (or whenever <> defaults to 3-arg), become
>> unsafe when run with an older perl. But if you leave <> as is, and use
>> <<>> for 3-arg open, a program using safe opens won't run on a perl that
>> doesn't have the feature.
> >
>> Surely you must agree that a program is safer if it refuses to run on a
>> perl that doesn't use 3-arg open than a program that silently uses 2-arg
>> open?
> This can also be accomplished with "use v5.12", no?
> Do we assume that somebody who knows or learns about the 3-arg-diamond  
> also knows about the security-implications? I would say 'yes', so this  
> programmer will probably care enough to insert a 'use v5.12' to prevent  
> running on older perls.
> A programmer who in your case uses the 3-arg-open '<<>>' already gives  
> up backward-compatibility, preventing usage of the script in an unsafe  
> environment.
> Which he also could do in my case by using the '<>' changed to  
> 3-arg-open and adding 'use v5.12'.

The case discussed here is not smart programmers. If we had programmers
that did the right thing, we wouldn't even have this discussion, as then
programmers wouldn't use while(<>) in environments where it's unsafe.

And as long as we have dumb programmers who should need protection, 
I wouldn't count on them adding 'use v5.12' to their programs. Or someone
else taking their code, and removing the 'use 5.12' (because it runs on
5.10 anyway).


Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About