Re^2: Ideas Wanted for Perl::Critic Security Policies


go ahead... be a heretic
	PerlMonks

Re^2: Ideas Wanted for Perl::Critic Security Policies

by davidrw (Prior)

on Jul 01, 2006 at 00:40 UTC ( [id://558708]=note: print w/replies, xml )

Need Help??

in reply to Re: Ideas Wanted for Perl::Critic Security Policies
in thread Ideas Wanted for Perl::Critic Security Policies

Using the 3-parameter form of open would be a good practice to check for.
There's a InputOutput::ProhibitTwoArgOpen in the Perl::Critic distro already..

The DBI one would be a 'challenge' :) .. not sure how it'd be possible to distinguish between $dbh->prepare("update table set my_val = $somevalue") (NOT OK) and $dbh->prepare("update $TABLENAME set my_val = ?") (OK) without actually parsing the sql .. plus there's the circumvention of $sql = "update table set my_val = $somevalue"; $sth=$dbh->prepare($sql); as well (or can you back-trace that w/PPI?)..

I took a crack at the system/exec one (see RFC: Perl-Critic policy: ProhibitInlineSystemArgs), though i think there's problems catching all of those, too.. e.g. system( join(" ", $cmd, @args) )

Comment on Re^2: Ideas Wanted for Perl::Critic Security Policies Select or Download Code

In Section Meditations

Domain Nodelet^?

www.com | www.net | www.org

Node Status^?

node history
Node Type: note [id://558708]
help

Chatterbox^?

How do I use this? • Last hour • Other CB clients

Other Users^?

Others admiring the Monastery: (2)

As of 2024-04-26 03:24 GMT

Sections^?

Information^?

Find Nodes^?

Leftovers^?

Today I Learned

Voting Booth^?

No recent polls found