On Sun, Jul 27, 2014 at 09:50:59AM -0400, Peter Martini wrote: > On 7/25/14, Abigail <abigail@abigail.be> wrote: > > > > Considering that with one liners, you're typically in full control of > > what you type, including the command line arguments, I'm not sure > > whether just changing -n and -p, robbing the user of options, is the > > right way. > > > > > > When was the last time you couldn't write a -n/-p one liner, because > > one of the arguments you wanted to give would trigger magic open, and > > you didn't want that to happen? > > It's actually more dangerous and has sharper edges than may be > initially considered. Putting on my security hat: > > shell $ touch 'report6; ls -l * |' > shell $ perl -pe '' report* > > Even with one liners, the user isn't necessarily aware of the > arguments that will be processed. Sure, but even with magic open disabled, $ perl -pe '' * isn't safe, as someone may have created a file starting with -e. It's "not knowing what your wildcard expands to" which is the dangerous thing. Magic open is just one of the thing wildcard expansion can make use of. But disabling magic open doesn't make wildcard expansion safe if you don't know what it expands to. AbigailThread Previous | Thread Next