Beefy Boxes and Bandwidth Generously Provided by pair Networks
Problems? Is your data what you think it is?
 
PerlMonks  

glob

by BooK (Curate)
on Jan 24, 2001 at 14:29 UTC ( #53931=perlquestion: print w/ replies, xml ) Need Help??
BooK has asked for the wisdom of the Perl Monks concerning the following question:

This is maybe not the best place to ask this question... Anyway,

I noticed a big difference between perl 5.005_03 and 5.6.0... glob behaves quite differently under -T

Try this one-liner:

C:\>perl5.exe -Te "print join', ',glob'*.txt'" Insecure dependency in glob while running with -T switch at -e line 1.
according to perlsec, this is perfectly normal, and I don't complain... After all, in Perl under 5.6 this was done thanks to a subshell.

But now try this one:

C:\>perl56.exe -Te "print join', ',glob'*.txt'" file1.txt, file2.txt, file3.txt
Well, in Perl 5.6, it is done with File::Glob, so why not.

But if you check in Amelia (page 727), you'll see that it's not the way glob should behave. You'll also notice glob is not in the list of taintedness examples page 560...

So, is this a bug in Perl 5.6? In Amelia? I tried this with ActivePerl 522 and 620, and with Perl 5.005_03 under FreeBSD and Perl 5.6.0 under Linux.

Comment on glob
Select or Download Code
5.6 untained glob (Re: glob)
by tye (Cardinal) on Jan 24, 2001 at 18:54 UTC

    Running a test I find that readdir() doesn't return tainted data so 5.6's glob()s (there are choices of several now) shouldn't either (or readdir() is also broken) since they just do readdir() and return a subset of the values.

    I would certainly understand claiming that both readdir() and new glob()s should return tainted data (I could also understand automatically untainting any file names that don't contain unusual characters).

    Note also that just trying to do a glob() prior to 5.6 should fail if running in taint mode as doing the glob() is just opening up a huge list of security holes. ):

            - tye (but my friends call me "Tye")

Log In?
Username:
Password:

What's my password?
Create A New User
Node Status?
node history
Node Type: perlquestion [id://53931]
Approved by root
help
Chatterbox?
and the web crawler heard nothing...

How do I use this? | Other CB clients
Other Users?
Others chilling in the Monastery: (5)
As of 2014-12-28 20:13 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    Is guessing a good strategy for surviving in the IT business?





    Results (182 votes), past polls