HTTP/2 200 cache-control: max-age=43200 server: Combust/Plack (Perl) vary: Accept-Encoding content-encoding: gzip content-length: 2349 content-type: text/html; charset=utf-8 last-modified: Sat, 11 Oct 2025 20:51:41 GMT date: Sat, 11 Oct 2025 20:51:41 GMT strict-transport-security: max-age=15768000 Front page | perl.perl5.porters | Postings from July 2008

RE: Removing files called minus (was: MAGIC MAGIC MAGIC)

Thread Previous

>Suppose a program is known to create a file name /tmp/bar, 
>presumably through open >/tmp/bar or the equivalent.  
>Fine.  
>
>Merely symlink /etc/passwd to /tmp/bar and watch the fun begin.

This is called a symlink attack, it is a very common type of security bug, and is the reason why people have spent a lot of time removing fixed (or predictable) filenames from programs and replacing them with File::Temp.  Of course, there are those who would argue that you just need to educate your users not to create symlinks in /tmp, nobody ever really does that, and so there is no real problem.

The fifo 'attack' you mentioned is certainly interesting.  It does suggest it's a bad idea for automated programs such as virus checkers to go around open()ing every file they see.  But Unix open() has a documented semantics for reading a fifo, and if you ask to open a file it's pretty reasonable for perl to open a file.  More surprising, IMHO, for it to go off and run a command, or write a file when you thought you were using an operator that reads them.  Such magic is useful, but not without explicitly asking for it.

>You-against-the-world-code includes daemons, setID scripts, 
>and CGI scripts, but is hardly restricted to those alone.  
>It's a far scarier place than you think, and this will keep 
>you awake at night, anxious and depressed if you do think 
>about it.  Perl should not be crippled just because some very 
>few people are paranoid, justly or otherwise.

Nobody has suggested Perl should be crippled or that magic argument processing should be unavailable.  I am in favour of adding extra magic, like ungzipping files or fetching URIs, or other things not yet dreamt of.

The only point is if you want something potentially unsafe, you should need to *ask for it*.  For a long time Perl has promoted <> as the way to read lines from command-line files.  Several people on this thread have said that they were happily using it as such, unaware of its potential to go wrong.  And those who read this list are surely among the most informed and careful of Perl developers.

-- 
Ed Avis <eda@waniasset.com> 

______________________________________________________________________
This email has been scanned by the MessageLabs Email Security System.
For more information please visit https://www.messagelabs.com/email 
______________________________________________________________________

Thread Previous

• Removing files called minus (was: MAGIC MAGIC MAGIC) by Tom Christiansen
• Re: Removing files called minus (was: MAGIC MAGIC MAGIC) by Aaron Crane
• Re: Removing files called minus (was: MAGIC MAGIC MAGIC) by Zefram
• Re: Removing files called minus (was: MAGIC MAGIC MAGIC) by Tels
• Re: Removing files called minus (was: MAGIC MAGIC MAGIC) by David Nicol
• Re: Removing files called minus by Mark Mielke
• Re: Removing files called minus (was: MAGIC MAGIC MAGIC) by Aristotle Pagaltzis
• RE: Removing files called minus (was: MAGIC MAGIC MAGIC) by Ed Avis