On 2019-01-24 11:12:43 +0100, Alex Mestiashvili wrote: > On 1/24/19 2:40 AM, Vincent Lefevre wrote: > But I disagree that a language can be considered insecure, just because
Note: just a feature, not the language itself. > it lets you shoot in the foot. > The first thing I learned when doing CGI coding is to sanitize the > input. That's the root problem in the most cases IMHO. Not really: The point is that if there were real filenames as usual (possibly with the safe and common exception for "-"), there would be nothing to sanitize. And as most developers thought these were real filenames (due to past boggus documentation), they did not try to sanitize @ARGV. Hence the issue. > It's also good to see that perl's documentation gets improved. Yes, but even though it gets improved, it will take much time before most non-official documentation and examples get fixed too. > May be lintian's warning for something like "while\s?(\s?<>\s?)" in perl > script explaining people that they should test the scripts is a good > start to eliminate that in Debian? Perhaps, with (as a Perl regexp): (foreach|while)\s*\(\s*<>\s*\) glilypond, gperl and gpinyin use foreach (perhaps not a good idea, but that's another matter). -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
