In #perlhelp on EFnet, someone said:
The first one is safe to run. It prints "Hello, world". The second one is on most systems not safe to run. It deletes everything it can, starting at /.14:01 < mauke> Is this a feature? mkdir tmp; cd tmp; touch 'echo Hello +, world |'; perl -pe1 * 14:03 < mauke> Even better: touch 'rm -rf `echo \\\\57` |'; perl -pe1 +*
This feature is documented in perlop:
You can even set them to pipe commands. For example, this automatically filters compressed arguments through gzip: @ARGV = map { /\.(gz|Z)$/ ? "gzip -dc < $_ |" : $_ } @ARGV;
So all code using the filehandle ARGV (this includes oneliners using -n or -p) is unsafe if used with shell globs.
Unfortunately, -p and -n are used in a LOT of places. Often in scripts that cron starts once a day. Often running as root. I found 5 root holes on my server system.
The fix is easy, but a lot of typing, which isn't handy for oneliners. You should open the files explicitly, using 3-argument open.
Too bad this is a feature. If it weren't documented, I'd say it's a bug and a very scary one too.
:(
Juerd # { site => 'juerd.nl', plp_site => 'plp.juerd.nl', do_not_use => 'spamtrap' }
In reply to Dangerous diamonds! by Juerd
| For: | Use: | ||
| & | & | ||
| < | < | ||
| > | > | ||
| [ | [ | ||
| ] | ] |