in reply to Re: Dangerous diamonds!
in thread Dangerous diamonds!
The problem doesn't like in magic open. The problem lies in assuming world writeable directories are safe.
No.
The problem that I am discussing is that it's using 2-arg open without me knowing it is. Now that I know it does do that, I won't make the mistake of EVER doing any -pe'something' * in something that is automated again. Too bad, since Perl really is nice as a one-liner crafting tool. Or I thought it was.
Consider the following program:
Blah blah. Those two examples are completely unrelated. They only happen to use @ARGV. I was *NOT* discussing the array @ARGV, but the magic filehandle that opens implicitly.
Your examples change the files, which is by definition less secure. My concern is with scripts/one-liners that readline *ARGV without knowing it could be any mode. I'm talking about implicit open, you're talking about explicit open and explicit truncate.
Please step into the real world and realise people make mistakes, and that people sometimes think they know how something works but do not. I thought I knew what magic ARGV did (Note again: @ARGV is not magic. I'm talking about *ARGV{IO} here, and only that.), but apparently did not.
My search on my server, on which multiple people automate tasks using Perl one-liners, proves that I'm not the only one that opened up huge security holes by assuming -n and -p were safe (again assuming no $ARGV, no @ARGV and no $^I or ANYTHING that *changes* files).
It would very insecure to think that using 3-arg open will fix your problems.
Pedant. Let me rephrase: 3-arg open with "<" as its second argument would fix most of the problem that I describe. Possibly still has exploits with nullbytes and such, but at least those are real exploits, and not some stupid Perl bugfeature that can very easily be abused.
To anyone reading my post: I acknowledge that it is a feature (after all, it's documented and sometimes useful) and not a bug. I also agree that you shouldn't assume things. But people do assume a lot and my message serves as a warning for people like me. In some IRC channels some people were quite shocked and started editing their scripts immediately.
Sometimes I wonder why it is that in Perl world you cannot warn people or express your wishes without getting replies about that things are supposed to work the way they do, that any changes would break legacy scripts, that I should have been perfect in the first place and that worse situations are possible too.
So, to avoid further confusion:
- Beware: magic ARGV (implied by -p and -e) uses two-arg open and can open files in a not-read-only mode and can even execute external commands.
- How it works now is a feature, documented in perlop.
- I wish it were different (explicit read-only using three-arg open).
- I'm only talking about the magic ARGV filehandle, not about $ARGV, @ARGV or its elements.
Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }
|
---|
Replies are listed 'Best First'. | |
---|---|
Re: Re: Re: Dangerous diamonds!
by bart (Canon) on May 20, 2003 at 08:00 UTC | |
by Juerd (Abbot) on May 20, 2003 at 14:43 UTC | |
Re: Re: Re: Dangerous diamonds!
by mr_mischief (Monsignor) on May 19, 2003 at 19:36 UTC | |
by tye (Sage) on May 19, 2003 at 20:15 UTC | |
by theorbtwo (Prior) on May 19, 2003 at 20:53 UTC | |
by tye (Sage) on May 19, 2003 at 21:06 UTC | |
by hv (Prior) on May 20, 2003 at 04:02 UTC | |
by Juerd (Abbot) on May 19, 2003 at 19:41 UTC |