On 1/23/19 2:05 PM, Vincent Lefevre wrote: > Hi, > > I've just reported > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269 > > against gropdf (also reported upstream to bug-groff), about the use of > the insecure null filehandle "<>" in Perl, which can lead to arbitrary > command execution, e.g. when using wildcards. > > I've noticed that some other Perl scripts also use this filehandle and > might be affected by the same issue. >
Hi, while gropdf lacks input sanitizationm which is definitely bad, the use of diamond operator is totally fine and doesn't make scripts insecure. One can run perl in tainted mode ( perl -T) to detect stuff like that. Best, Alex
