develooper Front page | perl.perl5.porters | Postings from October 2015

Re: [perl #126271] File::Glob issue

Thread Previous | Thread Next
From:
Aristotle Pagaltzis
Date:
October 13, 2015 09:13
Subject:
Re: [perl #126271] File::Glob issue
Message ID:
20151013091317.GA25223@plasmasturm.org
* Karl Williamson <public@khwilliamson.com> [2015-10-06 18:05]:
> One solution I thought of (that Zefram doesn't like) is for F:G to
> fork a shell if and only if it finds a shell metacharacter. That way
> the performance wouldn't suffer except in edge cases.

You brought this up multiple times. I don’t understand the logic behind
that. What makes you think that the fact that unusual inputs to glob()
cause the execution of shell commands under PERL_EXTERNAL_GLOB is really
a feature that needs to be replicated in its other incarnations? Is your
premise hat the purpose of glob() is not just to perform globbing, but
also to provide an undocumented poor-usability alternative to system()?

I’m at a loss. It doesn’t seem plausible that you thought this through
particularly carefully, but maybe there’s some other consideration that
drives you in this direction? That would be unlikely (to say the least)
to change my conclusion – but even so, it would be interesting to know,
and so far you haven’t stated your premises.

(I consider this a security hole in PERL_EXTERNAL_GLOB, though the low
use of that feature means there is only a low-grade vulnerability here.
Nevertheless it should be closed; security breaches usually result from
compositions of (mostly) individually-low-grade vulnerabilities.)

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About