Beefy Boxes and Bandwidth Generously Provided by pair Networks
Perl Monk, Perl Meditation
 
PerlMonks  

Re^2: magic-diamond <> behavior -- WHAT?!

by zwon (Monsignor)
on Oct 27, 2009 at 21:21 UTC ( #803528=note: print w/ replies, xml ) Need Help??


in reply to Re: magic-diamond <> behavior -- WHAT?!
in thread magic-diamond <> behavior -- WHAT?!

Fixed implies broken. This feature is there by design, and predates perl5. I find it useful.

After quick look I've found that pod2html, pl2pm, and prove are vulnerable. And it's hard to assume that their authors didn't know about this "feature". I'm pretty sure that if I spend more time investigating /usr/bin I'll find more. Some of these scripts are run by root, and he may don't even know that they written in Perl, I don't think he checking that there are no files with | or < in their names. So I have only touch the file with the right name in the right place. That's what I call "things are broken".

Isn't it easier to fix scripts that rely on magic open after they stop working, then to fix scripts that work perfectly, except that they could ruin your system.


Comment on Re^2: magic-diamond <> behavior -- WHAT?!
Re^3: magic-diamond <> behavior -- WHAT?!
by JavaFan (Canon) on Oct 27, 2009 at 22:39 UTC
    Wait. You want to protect against a root who runs some-program-he-doesn't-really-know * in a directory with world write access, without looking at the content of the directory?
    Isn't it easier to fix scripts that rely on magic open after they stop working, then to fix scripts that work perfectly, except that they could ruin your system.
    I'd say the person with root access is a way bigger problem to your system than magical open.

      What do you mean by "really know"? Do you saying that before running some program I should review the sources? Are you really always do that? And root access is not a requirement to fall into that trap, ordinary users, who don't even know what Perl is, also can run these scripts.

        What do you mean by "really know"?
        Heh, you introducted this root, not me:
        Some of these scripts are run by root, and he may don't even know that they written in Perl, I don't think he checking that there are no files with | or < in their names.

        And root access is not a requirement to fall into that trap, ordinary users, who don't even know what Perl is, also can run these scripts.
        Running whatever * while not knowing what * expands to or what whatever does is dangerous regardless of the language whatever is written in. Disabling magic open in Perl isn't going to fix the potential problems with this technique.

        It's like saying "let's turn all Toyotas into bumper cars, as there are people crossing the road with their eyes closed". That doesn't make crossing the road with your eyes closed safe - you still get run down by Fords and other cars.

Re^3: magic-diamond <> behavior -- WHAT?!
by Anonymous Monk on Oct 28, 2009 at 00:25 UTC
    You must have an old perl/pod2html :)

    ack "\<ARGV\>" C:\perl\5.10.1\bin\*bat

    ack "\<\>\s*\)" C:\perl\5.10.1\bin\*bat

    C:\perl\5.10.1\bin\brace-compress.bat:59: while ( <> ) { C:\perl\5.10.1\bin\c2ph.bat:488:STAB: while (<>) { C:\perl\5.10.1\bin\dbilogstrip.bat:53:while (<>) { C:\perl\5.10.1\bin\perlbug.bat:994: my $result = scalar(<>); C:\perl\5.10.1\bin\perlthanks.bat:994: my $result = scalar(<>); C:\perl\5.10.1\bin\pl2pm.bat:56:while (<>) { C:\perl\5.10.1\bin\podgrep.bat:51:while (<>) { C:\perl\5.10.1\bin\podtoc.bat:21:while (<>) { C:\perl\5.10.1\bin\ppm.bat:99: last unless defined ($_ = <> ); C:\perl\5.10.1\bin\pstruct.bat:488:STAB: while (<>) { C:\perl\5.10.1\bin\scandeps.bat:45:while (<>) { C:\perl\5.10.1\bin\SOAPsh.bat:29:while (defined($_ = shift || <>)) { C:\perl\5.10.1\bin\splain.bat:451: while (defined (my $error = <>)) + { C:\perl\5.10.1\bin\XMLRPCsh.bat:28:while (defined($_ = shift || <>)) {
      Your 'ack' is wrong on two accounts. First of all, pod2html doesn't do anything more than using a module, and calling a single sub in that. The work is done in ..../lib/5.10.1/Pod/Html.pm.

      But even then, searching for <ARGV> or <>won't reveal much. But this is relevant:

      local(@ARGV) = @_; ... local *POD; unless (@ARGV && $ARGV[0]) { $Podfile = "-" unless $Podfile; # stdin open(POD, "<$Podfile") || die "$0: cannot open $Podfile file for input: $!\n" +; } else { $Podfile = $ARGV[0]; # XXX: might be more filenames *POD = *ARGV; } ... my @poddata = <POD>;
        Huh, my ack is wrong?

        First of all, pod2html doesn't do anything more than using a module

        That is what it does now, it wasn't always a module.

        But even then, searching for <ARGV> or <>won't reveal much. But this is relevant

        It shows magic isn't used.

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://803528]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others about the Monastery: (15)
As of 2014-10-24 13:52 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (132 votes), past polls