Beefy Boxes and Bandwidth Generously Provided by pair Networks
go ahead... be a heretic
 
PerlMonks  

Re: Re: Two-arg open() considered dangerous

by chip (Curate)
on Dec 12, 2001 at 03:56 UTC ( #131113=note: print w/ replies, xml ) Need Help??


in reply to Re: Two-arg open() considered dangerous
in thread Two-arg open() considered dangerous

Japhy, you've fallen into the whitespace trap! How does "< $f" help you if $f starts with a space?

If two-arg open() can mislead as esteemed a monk as japhy, surely we should urge less experienced monks to steer clear of it.

    -- Chip Salzenberg, Free-Floating Agent of Chaos


Comment on Re: Re: Two-arg open() considered dangerous
Select or Download Code
Replies are listed 'Best First'.
Re: Re: Re: Two-arg open() considered dangerous
by japhy (Canon) on Dec 12, 2001 at 04:03 UTC
    perlopentut covers anomolies. Anyway, that's why Perl 5.6 has the multi-arg open(). open(FH, '<', $file)

    _____________________________________________________
    Jeff[japhy]Pinyan: Perl, regex, and perl hacker.
    s++=END;++y(;-P)}y js++=;shajsj<++y(p-q)}?print:??;

      Of course Perl 5.6 has multi-arg open ... I promoted its use in the node that started this thread!

      Sheesh, japhy, I know you're busy -- but set an example, please, and read the articles you respond to. OK?

      PS: Thanks for the perlopentut reminder.

          -- Chip Salzenberg, Free-Floating Agent of Chaos

        I did read it, and that's why I too mentioned multi-arg open()... I was agreeing with you.

        _____________________________________________________
        Jeff[japhy]Pinyan: Perl, regex, and perl hacker.
        s++=END;++y(;-P)}y js++=;shajsj<++y(p-q)}?print:??;

Re: Re: Re: Two-arg open() considered dangerous
by kwoff (Friar) on Dec 12, 2001 at 05:20 UTC
    I think anyone starting a filename with whitespace deserves to suffer. (Actually, I dislike any whitespace at all in a filename, but at least bash will tab-complete those cases. :)
      I think anyone starting a filename with whitespace deserves to suffer.
      It's not a matter of suffering or not. It's a matter of being able to bypass security.

      Suppose a setuid script will only write to a file I own, and I want to attack "fred". I create "(space)fred", it checks with "-O" and notes that I own it, and then proceeds to strip the whitespace on the open. And boom, I've written into a file I don't own.

      Do not simply "ignore" special characters, saying "the user will have to suffer". As a bad guy, I could exploit your ignorance (heh), and get in. Bad design, worse results.

      -- Randal L. Schwartz, Perl hacker

      Bash will tab complete a file beginning with a space as well, but you need to use a quote mark before the space to distinguish it from a normal space...
      % touch " tmpfile" % rm " [TAB-autocomplete]

      -Blake

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: note [id://131113]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others scrutinizing the Monastery: (6)
As of 2015-07-29 00:57 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    The top three priorities of my open tasks are (in descending order of likelihood to be worked on) ...









    Results (260 votes), past polls