in reply to Re: Re^2TIMTOWDTDI, obfu and analyzis of code (<> broken)
in thread TIMTOWDTDI, obfu and analyzis of code
To "fix" this would fix more existing code than it would break existing code. In fact, this sounds like something that should be in a CERT advisory not something to be kept for backward compatability.
The amount of code that intends to take advantage of this behavior is tiny. The amount of code at risk because of this behavior is huge.
My choice would be to require
to get the current (hopefully soon to be "old") behavior rather than sane behavior.use open IN => ":magic";
And tainting isn't much of a solution. It is very easy to see situations where privileged users run a not-tainted script that looks up filenames from directories where less-privileged users can create files. For any reasonable program, this is a safe thing to do and so is not something people worry about or use "tainting" to protect against.
- tye
|
|---|