develooper Front page | perl.perl5.porters | Postings from October 2015

Re: [perl #126271] File::Glob issue

Thread Previous | Thread Next
Aristotle Pagaltzis
October 13, 2015 17:53
Re: [perl #126271] File::Glob issue
Message ID:
* Karl Williamson <> [2015-10-13 19:25]:
> On 10/13/2015 03:13 AM, Aristotle Pagaltzis wrote:
> > You brought this up multiple times.
> Huh!? Unless I'm losing my mind, this thread is the only time I've
> ever posted on this. And unless I'm conflating this with something
> else, the only other time I've mentioned this at all was shortly
> before the original post, when I asked a question about it on #irc,
> and Zefram and I quickly concluded it was best handled via email;
> hence this thread.

Sorry. I thought I had seen you propose this twice on this thread. You
mentioned it on IRC as well; possibly you also mentioned it only once
there, and my impression that you had suggested it more than once there
too was equally mistaken. Too lazy to check. :-) So it felt to me like
you were re-proposing this repeatedly in the face of disagreement from
multiple sides, and as it seemed an evidently bad idea to me as well,
I wondered what on Earth could be compelling you.

But you are right: on second look, none of that took place.

My bad.

> So of course I haven't thought this through. I said I was asking for
> guidance. And I did state my premise there.

Well you didn’t state your premise for doing what you weren’t actually
doing. ;-)

Anyway, on the subject itself, as I said, the fact that it’s possible to
get shell command invocation out of glob() at all is – inarguably, to my
mind – a security vulnerability. And the reason PERL_EXTERNAL_GLOB even
exists seems to be hysterical raisins. Maybe it’s time to revisit that
and get rid of it.

> And I'm certainly not persistently advocating for anything.

Yes; sorry about that.

Aristotle Pagaltzis // <>

Thread Previous | Thread Next Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at | Group listing | About