Front page | perl.perl5.porters |
Postings from July 2014
On Sun, Jul 27, 2014 at 09:50:59AM -0400, Peter Martini wrote:
> On 7/25/14, Abigail <abigail@abigail.be> wrote:
> >
> > Considering that with one liners, you're typically in full control of
> > what you type, including the command line arguments, I'm not sure
> > whether just changing -n and -p, robbing the user of options, is the
> > right way.
> >
> >
> > When was the last time you couldn't write a -n/-p one liner, because
> > one of the arguments you wanted to give would trigger magic open, and
> > you didn't want that to happen?
>
> It's actually more dangerous and has sharper edges than may be
> initially considered. Putting on my security hat:
>
> shell $ touch 'report6; ls -l * |'
> shell $ perl -pe '' report*
>
> Even with one liners, the user isn't necessarily aware of the
> arguments that will be processed.
Sure, but even with magic open disabled,
$ perl -pe '' *
isn't safe, as someone may have created a file starting with -e.
It's "not knowing what your wildcard expands to" which is the dangerous
thing. Magic open is just one of the thing wildcard expansion can make
use of. But disabling magic open doesn't make wildcard expansion safe
if you don't know what it expands to.
Abigail
Thread Previous
|
Thread Next