Re (tilly) 1: Two-arg open() considered dangerous
by tilly (Archbishop) on Dec 12, 2001 at 02:46 UTC
|
Careful thought about that venerable security hole:
open(INPUT, param("input"));
demonstrates the truth of what you say. Essentially any API which make data and metadata easily confused should be viewed with suspicion.
But given that the 3 argument open is not documented as of 5.005_03, I would be cautious about suggesting that people use it in any code whose use is meant to be portable. People will have to use sysopen instead, but now you have to go through extra hoops to pull in the right values of your flags from Fcntl. | [reply] [d/l] |
|
| [reply] |
|
Incidentally, I'd say that this tilly quote deserves preservation:
Any API which make data and metadata easily confused should be viewed with suspicion.
-- tilly
-- Chip Salzenberg, Free-Floating Agent of Chaos
| [reply] |
|
I agree that three-arg open is a bit new to depend on, but
sysopen may not be inconvenient. Specifically,
it's guaranteed{1} that O_RDONLY,
O_WRONLY, and O_RDWR have the values
zero, one, and two, respectively. So sysopen FOO, $file, 0
should work everywhere in the known universe.
{1} This is OK to count on because the C function open()
originates with Unix, and for backwards compatibility with
ancient UNIX code, the second parameter of open() must accept
zero/one/two.
-- Chip Salzenberg, Free-Floating Agent of Chaos
| [reply] [d/l] [select] |
|
It is not guaranteed. From 'perldoc -f sysopen' on 5.005_03 I get:
=item sysopen FILEHANDLE,FILENAME,MODE
=item sysopen FILEHANDLE,FILENAME,MODE,PERMS
[ snip ]
The possible values and flag bits of the MODE parameter are
system-dependent; they are available via the standard module C<Fcntl>.
For historical reasons, some values work on almost every system
supported by perl: zero means read-only, one means write-only, and two
means read/write. We know that these values do I<not> work under
OS/390 & VM/ESA Unix and on the Macintosh; you probably don't want to
use them in new code.
So those values probably work. But not always. | [reply] [d/l] |
|
|
Re: Two-arg open() considered dangerous
by rob_au (Abbot) on Dec 12, 2001 at 05:11 UTC
|
For the most part, doesn't this "security danger" simply come down more to the vetting of parameters passed to functions, rather than the functions themselves? I mean, with the use of taint mode (-T), such an open statement would not be allowed as it (presumably) represents a passed parameter which has not been vetted prior to its passing onto open.
I do however agree with you most heartedly on the matter of sysopen() - A most underused and useful function ...
perl -e 's&&rob@cowsnet.com.au&&&split/[@.]/&&s&.com.&_&&&print' | [reply] [d/l] [select] |
|
| [reply] |
|
| [reply] |
|
|
|
Re: Two-arg open() considered dangerous
by japhy (Canon) on Dec 12, 2001 at 03:50 UTC
|
Um, that's why you should explicitly enter the mode yourself.
open F, "< $f";
open F, "> $f";
open F, ">> $f";
# etc.
_____________________________________________________
Jeff[japhy]Pinyan:
Perl,
regex,
and perl
hacker.
s++=END;++y(;-P)}y js++=;shajsj<++y(p-q)}?print:??; | [reply] [d/l] |
|
Japhy, you've fallen into the whitespace trap! How does "< $f"
help you if $f starts with a space?
If two-arg open() can mislead as esteemed a monk as japhy,
surely we should urge less experienced monks to steer clear of it.
-- Chip Salzenberg, Free-Floating Agent of Chaos
| [reply] [d/l] [select] |
|
| [reply] |
|
|
|
I think anyone starting a filename with whitespace
deserves to suffer. (Actually, I dislike any whitespace
at all in a filename, but at least bash will tab-complete
those cases. :)
| [reply] |
|
|
Re: Two-arg open() considered dangerous
by demerphq (Chancellor) on Dec 12, 2001 at 17:55 UTC
|
So I suppose the one arg open() is right out?
:-)
our $FILE="d:/temp/the_dang_file.txt";
open FILE or die "$FILE:$!";
Heh.
Yves / DeMerphq
--
This space for rent. | [reply] [d/l] |
A reply falls below the community's threshold of quality. You may see it by logging in. |