Beefy Boxes and Bandwidth Generously Provided by pair Networks
Don't ask to ask, just ask
 
PerlMonks  

Re^3: magic-diamond <> behavior -- WHAT?!

by JavaFan (Canon)
on Oct 30, 2008 at 00:52 UTC ( [id://720376]=note: print w/replies, xml ) Need Help??


in reply to Re^2: magic-diamond <> behavior -- WHAT?!
in thread magic-diamond <> behavior -- WHAT?!

Allowing arbitrary execution of shell commands is a cardinal sin in security. Not only that, the magic-diamond does it implicitly. This goes beyond the realm of making "easy things easy, and hard things possible". This is a security-hole, IMHO.
It's no more a security hole than "system" is. Or a kitchen knife a murder weapon. Magic open was there before the fast majority of the current Perl programmers even knew there was such a thing as Perl, and it has been documented that way.
For example, would you ever expect the following to execute shell commands? Currently, it can. 
# strip "#"-till-EOL
perl -pe 's/#.*$//' *

[download]
I certainly don't. I see this as a read-only operation that prints to STDOUT, and I'd like to be able to assume so.
Too bad. It isn't going to change. But with the addition of a single keystroke, that filter won't execute arbitrary shell commands. And IMO, it's always a good idea to enable tainting if you're running in an environment you cannot trust (but then, if you cannot trust the environment, is such a broad shell expansion a good idea in the first place?)
Let's lessen that impact -- the security and robustness benefits will exceed the gains of the obscure magic. Just my opinion.
Noted. But in my opinion, fundamentally changing the behaviour of a feature that predates the existence of perl5 doesn't justify the gain - specially not if the gain can be gotten by running with tainting on. Which even predates 3-arg open.
Doesn't it seem ridiculous to have ARGV::readonly instead of the inverse-situation of having (the fictional) ARGV::magical?
Not to me.

Replies are listed 'Best First'.
Re^4: magic-diamond <> behavior -- WHAT?!
by repellent (Priest) on Oct 30, 2008 at 01:33 UTC
      It's no more a security hole than "system" is. Or a kitchen knife a murder weapon. Magic open was there before the fast majority of the current Perl programmers even knew there was such a thing as Perl, and it has been documented that way.

    I disagree. system is an explicit call. By analogy, if I were to system(), I would pick up the kitchen knife and know better. With the magic-diamond <>, the knife may magically backstab me without me even realizing what happened ;-) I know now, but how about the uninformed?

    I can respect legacy since magic open existed a long time ago. But sometimes legacy needs to change for the sake of security considerations.

      But with the addition of a single keystroke, that filter won't execute arbitrary shell commands.

    Awww man.. now I've got to taint my simple filters? How is this making it easy and safe for common & simple read-only filter operations, like the one in my previous post?

      And IMO, it's always a good idea to enable tainting if you're running in an environment you cannot trust (but then, if you cannot trust the environment, is such a broad shell expansion a good idea in the first place?)

    At $WORK, I can trust that my environment is not hostile. But I don't trust that my environment is error-free. So, you can say it's sort of a semi-trust :-) The last thing I need to worry about is how filenames will affect my Perl filters.
[reply]
[d/l]
      Awww man.. now I've got to taint my simple filters?
      No, you only need to taint your filters if you do three things at once:
      1. Use magic open.
      2. Use a broad shell expansion.
      3. Run in an untrusted environment.
      The answer to "I've untrusted data, and I may be using it in a way that can harm me" is almost always to enable tainting. We don't change operations just because someone is not careful enough when coding. I don't see why magic open should be different.

      And it's not just me. On the forum where it matters, p5p, the idea gets shot down as well.

[reply]
          1. Use magic open.

        That's everytime -n or -p is used. If tainting was employed, it defeats the purpose of using the shorthand notation in the first place.

          2. Use a broad shell expansion.

        This cannot be anticipated by the perl program. Perl gets @ARGV as it is from the executing shell because the shell has already done the expansion.

          3. Run in an untrusted environment.

        Well, even if the environment is trusted, the possibility of stray filenames can cause other types of damage. I mean, bad filenames may be created unintentionally by some other program working in tandem with perl's <ARGV>.
[reply]
[d/l]
[select]
    A reply falls below the community's threshold of quality. You may see it by logging in.

In Section Seekers of Perl Wisdom

Log In?
Username:
Password:

What's my password?
Create A New User
Domain Nodelet?

www.com | www.net | www.org
Node Status?
node history
Node Type: note [id://720376]
help
Chatterbox?
and the web crawler heard nothing...

How do I use this?Last hourOther CB clients
Other Users?
Others avoiding work at the Monastery: (5)
As of 2024-04-19 22:50 GMT
Sections?
Information?
Find Nodes?
Leftovers?
    Voting Booth?

    No recent polls found