in reply to More on directory recursion

I don't know much about this, but there is apparently a security issue here, so I'd like to extend this question a bit. On page 321 of the Perl Cookbook, it states (English purists like myself will cringe at the placement of the last prepositional phrase, but that's another issue :).

The Holy Cookbook further states that

While I have seen warnings about setuid and setgid scripts, I haven't had the opportunity to write any yet, so I am not aware of the security issues here. Enlightenment would put me a step closer to Perl nerdvana :)

Replies are listed 'Best First'.
RE: Re: More on directory recursion
by takshaka (Friar) on Jun 12, 2000 at 22:51 UTC
    Pre-5.6 glob forks a shell and lets csh do the filename expansion. Allowing users to pass arbitrary strings to the shell is a Bad Thing, especially when you're running as root.

    5.6, however, implements glob internally through File::Glob, so it's a lot safer (though that feature is currently labelled "experimental").

    Update: This snippet from perlop should make it clear what is going on with glob on pre-5.6 Perl: 

    while (<*.c>) {
        chmod 0644, $_;
    }

is equivalent to

    open(FOO, "echo *.c | tr -s ' \t\r\f' '\\012\\012\\012\\012'|");
    while (<FOO>) {
        chop;
        chmod 0644, $_;
    }

In fact, it's currently implemented that way.  (Which
means it will not work on filenames with spaces in them
unless you have csh(1) on your machine.)

    [download]
[reply]
[d/l]

In Section Seekers of Perl Wisdom