Re^3: Passing a Filehandle that Might be a Bareword

It would be better (IMHO) to accept a file name (in taint mode) and sanitize it within your module.

The intent was to reinforce that incoming information (in this case a file handle with no other attached information) should be sanitized within your module.
While the source could well be benign, it is not that hard to use secure practices from the start.
Given that my background is information and systems security, I tend to preach security best practices (in conjunction with PBP ;-), of course).

Comment on Re^3: Passing a Filehandle that Might be a Bareword

Replies are listed 'Best First'.
Re^4: Passing a Filehandle that Might be a Bareword by BrowserUk (Patriarch) on May 30, 2010 at 15:30 UTC
The intent was to reinforce that incoming information (in this case a file handle with no other attached information) should be sanitized within your module. While the source could well be benign, it is not that hard to use secure practices from the start. Given that my background is information and systems security, I tend to preach security best practices (in conjunction with PBP ;-), of course). Sorry, but that is total bulls...! You're not preaching security, you're preaching pointless paranoia. And quoting "PBP" does not change that. There is nothing you can do within a third-party module to validate a filename given to you by the caller, that the caller cannot do for himself. What are you going to do, take a look at the filename a reject it because you don't like the way it spelt? Or reject it because it's all uppercase? Say "No, I'm not going to allow you to open that file"? There is no way a module can hope to internally perform the correct checks for every possible caller, so the only sensible option is to leave the caller to perform all the checks they require, and do none inside the module, because they would either be wrong, or redundant. The only thing a module should do with a filename is try and open it, and report an error if the attempt fails. And once you realise that, then having the module accept a filehandle rather than a filename is just common sense. Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error. "Science is about questioning the status quo. Questioning authority". In the absence of evidence, opinion is indistinguishable from prejudice. RIP an inspiration; A true Folk's Guy	[reply]

Replies are listed 'Best First'.

Re^4: Passing a Filehandle that Might be a Bareword
by BrowserUk (Patriarch) on May 30, 2010 at 15:30 UTC

The intent was to reinforce that incoming information (in this case a file handle with no other attached information) should be sanitized within your module.
While the source could well be benign, it is not that hard to use secure practices from the start.
Given that my background is information and systems security, I tend to preach security best practices (in conjunction with PBP ;-), of course).

Sorry, but that is total bulls...! You're not preaching security, you're preaching pointless paranoia. And quoting "PBP" does not change that.

There is nothing you can do within a third-party module to validate a filename given to you by the caller, that the caller cannot do for himself. What are you going to do, take a look at the filename a reject it because you don't like the way it spelt? Or reject it because it's all uppercase? Say "No, I'm not going to allow you to open that file"?

There is no way a module can hope to internally perform the correct checks for every possible caller, so the only sensible option is to leave the caller to perform all the checks they require, and do none inside the module, because they would either be wrong, or redundant.

The only thing a module should do with a filename is try and open it, and report an error if the attempt fails. And once you realise that, then having the module accept a filehandle rather than a filename is just common sense.

Examine what is said, not who speaks -- Silence betokens consent -- Love the truth but pardon error.

"Science is about questioning the status quo. Questioning authority".

In the absence of evidence, opinion is indistinguishable from prejudice.

RIP an inspiration; A true Folk's Guy

[reply]