Ian Jackson writes ("Re: Potentially insecure Perl scripts"):
> Even if we care only about scripts which are part of Debian, rather
> than scripts which people merely expect to run on Debian (and where
> they trust Debian to not blow their leg off), there will probably be
> many thousands.
I asked codesearch about
while.*\<\>
and got 10780 results.
That
- does not include situations where -p and -e are wrong
- does not include other dangerous uses of <>
but
- it does probably include some scripts which will never
see potentially hostile filenames
- will include some matches in things other than Perl but
probably not many
I think this does mean that *at least* 10780 locations in Debian would
need to be looked at by a human being to see what to do about them.
I think, effectively, you are proposing a >10780-bug MBF ?
Ian.
--
Ian Jackson <ijack...@chiark.greenend.org.uk> These opinions are my own.
If I emailed you from an address @fyvzl.net or @evade.org.uk, that is
a private address which bypasses my fierce spamfilter.
