Hi! On Wed, 2019-01-23 at 14:05:54 +0100, Vincent Lefevre wrote: > I've just reported > > https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=920269 > > against gropdf (also reported upstream to bug-groff), about the use of > the insecure null filehandle "<>" in Perl, which can lead to arbitrary > command execution, e.g. when using wildcards. > > I've noticed that some other Perl scripts also use this filehandle and > might be affected by the same issue.
Part of the problem might also be that perlcritic recommands this in its InputOutput::ProhibitExplicitStdin policy, you can see the description with «perlcritic --doc InputOutput::ProhibitExplicitStdin». For dpkg, for example, I completely disabled that policy as bogus, when hooking the perlcritic checks in: <https://git.dpkg.org/git/dpkg/dpkg.git/tree/t/critic/perlcriticrc#n67> Thanks, Guillem
