Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

Re: Bug in perl command line processing?

by sauoq (Abbot)
on May 22, 2012 at 20:43 UTC ( #971869=note: print w/ replies, xml ) Need Help??


in reply to Bug in perl command line processing?

$ perl -MO=Deparse -i'foo e eval "warn q[bar]";' -e1 BEGIN { $^I = "foo"; } eval 'warn q[bar]'; '???'; -e syntax OK

-sauoq
"My two cents aren't worth a dime.";


Comment on Re: Bug in perl command line processing?
Download Code
Re^2: Bug in perl command line processing?
by EvanCarroll (Chaplain) on May 22, 2012 at 20:54 UTC
    Right that is obviously what is doing, but is that safe for Perl and not the shell to break apart an argument on spaces? This seems dangerous. You now need to sanitize your backup-character-extensions for space characters because perl may otherwise execute it as code?


    Evan Carroll
    The most respected person in the whole perl community.
    www.evancarroll.com

      I think you found a real bug. And, sure, there are security implications. Theoretically, anyway. There are probably not that many places where this poses a real security threat. There's more potential for it to cause things to break and leave people scratching their heads though.

      -sauoq
      "My two cents aren't worth a dime.";
Re^2: Bug in perl command line processing?
by demerphq (Chancellor) on May 22, 2012 at 21:14 UTC

    The -e1 is unnecessary.

    $ perl -MO=Deparse -i'foo e eval "warn q[bar]";' BEGIN { $^I = "foo"; } eval 'warn q[bar]'; -e syntax OK

    I vote bug.

    ---
    $world=~s/war/peace/g

      The -e1 is unnecessary.

      That seems to be because perl sees the 'e' in 'foo e eval...' as an -e command line switch. Change it to something else besides 'e' and the behavior changes.

      It sort of feels like the same sort of exploit one should worry about when using the two-arg open unsafely, passing user data to a database without placeholders, or instantiating user data as variable names.


      Dave

        Yes, but to me that is THE bug.

        ---
        $world=~s/war/peace/g

      The -e1 is unnecessary.

      Yes, sorry. I should have explained my intent... I was showing that by adding the ';' to the OP's you could include -e1 without an error.

      -sauoq
      "My two cents aren't worth a dime.";

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://971869]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others surveying the Monastery: (10)
As of 2014-10-02 18:14 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    What is your favourite meta-syntactic variable name?














    Results (70 votes), past polls