Potentially insecure Perl scripts
Colin Watson
cjwatson at debian.org
Thu Jan 24 20:22:52 GMT 2019
On Thu, Jan 24, 2019 at 02:49:29PM -0500, Mark Fowler wrote:
> On Thu, Jan 24, 2019 at 10:18 AM Ian Jackson <
> ijackson at chiark.greenend.org.uk> wrote:
> > To the Debian Perl maintainers: if I make a patch to make
> > -p -n <>
> > use the 3-argument form of open (or equivalent), will you apply it ?
> >
> > To the Debian security team: would you ship it in a security update ?
>
> Wouldn't a less drastic approach be to change the vulnerable scripts to use
> <<>> instead of <>?
Do you have a proposal for enumerating all the vulnerable scripts?
Also, <<>> doesn't work if your script expects to continue to support
"-" to mean stdin, because it turns that off along with all the rather
more dangerous magic. In the case of groff, "-" was specifically
documented in the manual pages of the relevant programs; so I made
essentially the following transformation:
while (<>) {
...
}
... into:
unshift @ARGV, '-' unless @ARGV;
foreach my $filename (@ARGV) {
my $input;
if ($filename eq '-') {
$input = \*STDIN;
} elsif (not open $input, '<', $filename) {
warn $!;
next;
}
while (<$input>) {
...
}
}
A bit tedious, but seems workable.
--
Colin Watson [cjwatson at debian.org]
More information about the Perl-maintainers
mailing list