Beefy Boxes and Bandwidth Generously Provided by pair Networks
P is for Practical
 
PerlMonks  

comment on

( #3333=superdoc: print w/replies, xml ) Need Help??

Well. Ignoring that you are someone else, explaining someone elses reasoning, and indeed, the reasoning you explain is mostly not yours or the OP's; it will suffice to demonstrate that the OP's PerlCritic code does not even attempt to encapsulate the reasoning you've explained.

The difference between the rule coded and the salient part of your explaination--that is somewhat diluted in your explanation through lack of emphasis and entirely omitted from your quoted reference--is your second sentance:

It can be dangerous if passed unclean user input.

Even in that simple prerequisite there are two conditional parts that are entirely omitted from the rule as coded:

  1. can be
  2. unclean user input

Most Perl scripts are invoked by a user from a shell command line. The user has no need to deviously pass contaminated arguments into Perl scripts in order to have those scripts pass them on to the shell as they can do it directly.

Most system & exec invokations within Perl scripts do not pass unclean user input as a part of their arguments.

Omitting checks in the rule to allow scripts the benefits of reusing the facilities provided by system shells, where doing so does not conflict with security, is like passing a law that says 'noone is allowed to cross a road'.

It can be dangerous to cross a road without looking; but if the road is empty, or if the road is a private road currently closed to vehicular traffic; or if you are of sound mind, with reasonable eyesight, and no mobility impediments and you look first; it's probably okay to cross roads.

Imagine life if a law was imposed upon everyone that they could never cross roads because doing so can sometimes be dangerous if insufficient care is taken when doing so?

Of course, it would be quite difficult to encapsulate the logic required to verify whether a particular use of the single argument system or exec was likely to fall foul of the particular set of circumstances that would render that usage unsafe--but flagging all uses as unsafe because it is easier than performing the checks is not an acceptable alternative.

This is the metaphoric equivalent of imposing a blanket ban on eating out because some chefs are insufficiently aware of the rules for food preparation and might therefore give their client salmonella.


Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.
Lingua non convalesco, consenesco et abolesco. -- Rule 1 has a caveat! -- Who broke the cabal?
"Science is about questioning the status quo. Questioning authority".
In the absence of evidence, opinion is indistinguishable from prejudice.

In reply to Re^3: RFC: Perl-Critic policy: ProhibitInlineSystemArgs by BrowserUk
in thread RFC: Perl-Critic policy: ProhibitInlineSystemArgs by davidrw

Title:
Use:  <p> text here (a paragraph) </p>
and:  <code> code here </code>
to format your post; it's "PerlMonks-approved HTML":



  • Posts are HTML formatted. Put <p> </p> tags around your paragraphs. Put <code> </code> tags around your code and data!
  • Titles consisting of a single word are discouraged, and in most cases are disallowed outright.
  • Read Where should I post X? if you're not absolutely sure you're posting in the right place.
  • Please read these before you post! —
  • Posts may use any of the Perl Monks Approved HTML tags:
    a, abbr, b, big, blockquote, br, caption, center, col, colgroup, dd, del, div, dl, dt, em, font, h1, h2, h3, h4, h5, h6, hr, i, ins, li, ol, p, pre, readmore, small, span, spoiler, strike, strong, sub, sup, table, tbody, td, tfoot, th, thead, tr, tt, u, ul, wbr
  • You may need to use entities for some characters, as follows. (Exception: Within code tags, you can put the characters literally.)
            For:     Use:
    & &amp;
    < &lt;
    > &gt;
    [ &#91;
    ] &#93;
  • Link using PerlMonks shortcuts! What shortcuts can I use for linking?
  • See Writeup Formatting Tips and other pages linked from there for more info.
  • Log In?
    Username:
    Password:

    What's my password?
    Create A New User
    Chatterbox?
    and the web crawler heard nothing...

    How do I use this? | Other CB clients
    Other Users?
    Others perusing the Monastery: (4)
    As of 2020-11-30 12:45 GMT
    Sections?
    Information?
    Find Nodes?
    Leftovers?
      Voting Booth?

      No recent polls found

      Notices?