Re^4: TIMTOWDTDI, obfu and analyzis of code (<> broken)


XP is just a number
	PerlMonks

Re^4: TIMTOWDTDI, obfu and analyzis of code (<> broken)

by tye (Sage)

on Mar 12, 2003 at 23:30 UTC ( [id://242535]=note: print w/replies, xml )

Need Help??

in reply to Re: Re^2TIMTOWDTDI, obfu and analyzis of code (<> broken)
in thread TIMTOWDTDI, obfu and analyzis of code

To "fix" this would fix more existing code than it would break existing code. In fact, this sounds like something that should be in a CERT advisory not something to be kept for backward compatability.

The amount of code that intends to take advantage of this behavior is tiny. The amount of code at risk because of this behavior is huge.

My choice would be to require

    use open IN => ":magic";
[download]

to get the current (hopefully soon to be "old") behavior rather than sane behavior.

And tainting isn't much of a solution. It is very easy to see situations where privileged users run a not-tainted script that looks up filenames from directories where less-privileged users can create files. For any reasonable program, this is a safe thing to do and so is not something people worry about or use "tainting" to protect against.

- tye

Comment on Re^4: TIMTOWDTDI, obfu and analyzis of code (<> broken) Download Code

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://242535]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others sharing their wisdom with the Monastery: (6)

As of 2024-04-18 08:52 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found