Beefy Boxes and Bandwidth Generously Provided by pair Networks
Just another Perl shrine
 
PerlMonks  

Re^4: magic-diamond <> behavior -- WHAT?!

by zwon (Monsignor)
on Oct 28, 2009 at 08:57 UTC ( #803618=note: print w/ replies, xml ) Need Help??


in reply to Re^3: magic-diamond <> behavior -- WHAT?!
in thread magic-diamond <> behavior -- WHAT?!

What do you mean by "really know"? Do you saying that before running some program I should review the sources? Are you really always do that? And root access is not a requirement to fall into that trap, ordinary users, who don't even know what Perl is, also can run these scripts.


Comment on Re^4: magic-diamond <> behavior -- WHAT?!
Re^5: magic-diamond <> behavior -- WHAT?!
by JavaFan (Canon) on Oct 28, 2009 at 09:10 UTC
    What do you mean by "really know"?
    Heh, you introducted this root, not me:
    Some of these scripts are run by root, and he may don't even know that they written in Perl, I don't think he checking that there are no files with | or < in their names.

    And root access is not a requirement to fall into that trap, ordinary users, who don't even know what Perl is, also can run these scripts.
    Running whatever * while not knowing what * expands to or what whatever does is dangerous regardless of the language whatever is written in. Disabling magic open in Perl isn't going to fix the potential problems with this technique.

    It's like saying "let's turn all Toyotas into bumper cars, as there are people crossing the road with their eyes closed". That doesn't make crossing the road with your eyes closed safe - you still get run down by Fords and other cars.

      Running whatever * while not knowing what * expands to

      I always felt safe running grep something *, can you enlighten me how it can be dangerous?

      or what whatever does

      in this case question is how whatever is implemented

      It's like saying "let's turn all Toyotas into bumper cars

      It's like saying let's equip every Toyota with safety belts.

        How about rm -i *? Do you think it's safe, specially because you asked it to ask you before removing a file? You'd be surprised if there's a file name -f. How about scp * remote:? That might do something unexpected there's a file somehost:bla, or even otherhost:*.

        There's no guarantee any program treats a filename given as argument as nothing else than a filename. In fact, most programs don't. And you should be quite aware of that when using *, or any other form of expansion (for instance, when using find ... | xargs). Being aware of what you are doing is far more useful than removing magic open.

        It's like saying let's equip every Toyota with safety belts.
        That doesn't help the person crossing the street with his eyes closed, does it?

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://803618]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (3)
As of 2014-10-26 03:01 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    For retirement, I am banking on:










    Results (149 votes), past polls