Front page | perl.perl5.porters |
Postings from October 2015
* Karl Williamson <public@khwilliamson.com> [2015-10-06 18:05]: > One solution I thought of (that Zefram doesn't like) is for F:G to > fork a shell if and only if it finds a shell metacharacter. That way > the performance wouldn't suffer except in edge cases. You brought this up multiple times. I don’t understand the logic behind that. What makes you think that the fact that unusual inputs to glob() cause the execution of shell commands under PERL_EXTERNAL_GLOB is really a feature that needs to be replicated in its other incarnations? Is your premise hat the purpose of glob() is not just to perform globbing, but also to provide an undocumented poor-usability alternative to system()? I’m at a loss. It doesn’t seem plausible that you thought this through particularly carefully, but maybe there’s some other consideration that drives you in this direction? That would be unlikely (to say the least) to change my conclusion – but even so, it would be interesting to know, and so far you haven’t stated your premises. (I consider this a security hole in PERL_EXTERNAL_GLOB, though the low use of that feature means there is only a low-grade vulnerability here. Nevertheless it should be closed; security breaches usually result from compositions of (mostly) individually-low-grade vulnerabilities.) Regards, -- Aristotle Pagaltzis // <http://plasmasturm.org/>Thread Previous | Thread Next