develooper Front page | perl.perl5.porters | Postings from October 2015

Re: [perl #126271] File::Glob issue

Thread Previous | Thread Next
From:
Aristotle Pagaltzis
Date:
October 13, 2015 17:53
Subject:
Re: [perl #126271] File::Glob issue
Message ID:
20151013175304.GA27504@plasmasturm.org
* Karl Williamson <public@khwilliamson.com> [2015-10-13 19:25]:
> On 10/13/2015 03:13 AM, Aristotle Pagaltzis wrote:
> > You brought this up multiple times.
>
> Huh!? Unless I'm losing my mind, this thread is the only time I've
> ever posted on this. And unless I'm conflating this with something
> else, the only other time I've mentioned this at all was shortly
> before the original post, when I asked a question about it on #irc,
> and Zefram and I quickly concluded it was best handled via email;
> hence this thread.

Sorry. I thought I had seen you propose this twice on this thread. You
mentioned it on IRC as well; possibly you also mentioned it only once
there, and my impression that you had suggested it more than once there
too was equally mistaken. Too lazy to check. :-) So it felt to me like
you were re-proposing this repeatedly in the face of disagreement from
multiple sides, and as it seemed an evidently bad idea to me as well,
I wondered what on Earth could be compelling you.

But you are right: on second look, none of that took place.

My bad.

> So of course I haven't thought this through. I said I was asking for
> guidance. And I did state my premise there.

Well you didn’t state your premise for doing what you weren’t actually
doing. ;-)

Anyway, on the subject itself, as I said, the fact that it’s possible to
get shell command invocation out of glob() at all is – inarguably, to my
mind – a security vulnerability. And the reason PERL_EXTERNAL_GLOB even
exists seems to be hysterical raisins. Maybe it’s time to revisit that
and get rid of it.

> And I'm certainly not persistently advocating for anything.

Yes; sorry about that.

Regards,
-- 
Aristotle Pagaltzis // <http://plasmasturm.org/>

Thread Previous | Thread Next


nntp.perl.org: Perl Programming lists via nntp and http.
Comments to Ask Bjørn Hansen at ask@perl.org | Group listing | About