in reply to Re^4: magic-diamond <> behavior -- WHAT?!
in thread magic-diamond <> behavior -- WHAT?!

What do you mean by "really know"?
Heh, you introducted this root, not me:
Some of these scripts are run by root, and he may don't even know that they written in Perl, I don't think he checking that there are no files with | or < in their names.

And root access is not a requirement to fall into that trap, ordinary users, who don't even know what Perl is, also can run these scripts.
Running whatever * while not knowing what * expands to or what whatever does is dangerous regardless of the language whatever is written in. Disabling magic open in Perl isn't going to fix the potential problems with this technique.

It's like saying "let's turn all Toyotas into bumper cars, as there are people crossing the road with their eyes closed". That doesn't make crossing the road with your eyes closed safe - you still get run down by Fords and other cars.

Replies are listed 'Best First'.
Re^6: magic-diamond <> behavior -- WHAT?!
by zwon (Abbot) on Oct 28, 2009 at 10:24 UTC
    Running whatever * while not knowing what * expands to

    I always felt safe running grep something *, can you enlighten me how it can be dangerous?

    or what whatever does

    in this case question is how whatever is implemented

    It's like saying "let's turn all Toyotas into bumper cars

    It's like saying let's equip every Toyota with safety belts.

[reply]
[d/l]
      How about rm -i *? Do you think it's safe, specially because you asked it to ask you before removing a file? You'd be surprised if there's a file name -f. How about scp * remote:? That might do something unexpected there's a file somehost:bla, or even otherhost:*.

      There's no guarantee any program treats a filename given as argument as nothing else than a filename. In fact, most programs don't. And you should be quite aware of that when using *, or any other form of expansion (for instance, when using find ... | xargs). Being aware of what you are doing is far more useful than removing magic open.

      It's like saying let's equip every Toyota with safety belts.
      That doesn't help the person crossing the street with his eyes closed, does it?
[reply]
[d/l]
[select]

        That's certainly a point. But here's also some difference -- man pages for both rm and scp explicitly mention these cases and how to workaround them, documentation for prove doesn't.

[reply]

In Section Seekers of Perl Wisdom