Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> Vincent Lefevre writes ("Potentially insecure Perl scripts"):
> > I've just reported
> > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269
> > against gropdf (also reported upstream to bug-groff), about the use of
> > the insecure null filehandle "<>" in Perl, which can lead to arbitrary
> > command execution, e.g. when using wildcards.
> >
> > I've noticed that some other Perl scripts also use this filehandle and
> > might be affected by the same issue.
>
> OMFG. This is worse than shellshock.
>
> $ perl -pe 's/^/got /' "whoami|"
> got iwj
> $
Apparently this has been klnown about for EIGHTEEN YEARS
https://rt.perl.org/Public/Bug/Display.html?id=2783
and no-one has fixed it or even documented it.
I think this is a serious bug in Perl which should be fixed in a
security update.
Debian Perl maintainers, can you please tell me whether you agree, and
if so whether you intend to prepare a security update ?
IMO the correct behaviour for <> and -p and -e should be to special
case "-" (which usual filename argument unquoting will often deal
with) and otherwise use the three-argument form of the builtin
open. The tiny number of programs broken by such a change will be
massively outweighed by the large number of hideous security bugs
which will be fixed.
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
