in reply to Bad code from the trenches

Security hole: $dest is in double quotes. If it contains something like @{[ arbitrary Perl code here]} then that Perl code will be executed. (Code interpolation in double quote context.)

This one is clearly false. The other one (2-arg open) is indeed a security bug.

(Update: formatting)

Replies are listed 'Best First'.
Re^2: Bad code from the trenches
by dragonchild (Archbishop) on Mar 14, 2005 at 13:52 UTC
    Oh? So, what does the following do? 
    my $y = "Boo!";
my $x = "@{[print $y, $/]}";

    [download]

    Being right, does not endow the right to be rude; politeness costs nothing.
    Being unknowing, is not the same as being stupid.
    Expressing a contrary opinion, whether to the individual or the group, is more often a sign of deeper thought than of cantankerous belligerence.
    Do not mistake your goals as the only goals; your opinion as the only opinion; your confidence as correctness. Saying you know better is not the same as explaining you know better.

[reply]
[d/l]

      That's not the example. The example is:

      my $y = 'Boo!';
my $x = '@{[print $y, $/]}';  # note the single quotes here
my $z = "$x";
print $z;

      [download]
[reply]
[d/l]
        Huh. Interesting ... is there a way to force interpolation of the text in $x?

        Being right, does not endow the right to be rude; politeness costs nothing.
        Being unknowing, is not the same as being stupid.
        Expressing a contrary opinion, whether to the individual or the group, is more often a sign of deeper thought than of cantankerous belligerence.
        Do not mistake your goals as the only goals; your opinion as the only opinion; your confidence as correctness. Saying you know better is not the same as explaining you know better.

[reply]

In Section Meditations