* Qualys Security Advisory <q...@qualys.com>, 2024-11-19 16:25:
We therefore grepped the ScanDeps module for one of the oldest pitfalls
of the Perl programming language: the two-argument form of open(),
When looking for this kind of vulnerabilities a few years ago, I patched
my Perl interpreter to issue runtime warnings against suspicious
two-argument open() calls.
The patch still applies cleanly, and apparently even works, so I've
attached it here. Maybe someone will find it useful.
--
Jakub Wilk
From: Jakub Wilk <jw...@jwilk.net>
Date: Sat, 26 Jan 2019 17:48:21 +0100
Subject: [PATCH] Warn against suspicious two-argument open() calls.
$ perl -e 'print <>' /etc/issue
two-argument open(..., "/etc/issue") at -e line 1.
Debian GNU/Linux 9 \n \l
$ perl -e 'print <<>>' /etc/issue
Debian GNU/Linux 9 \n \l
---
doio.c | 3 +++
1 file changed, 3 insertions(+)
--- a/doio.c
+++ b/doio.c
@@ -491,6 +491,9 @@
bool was_fdopen = FALSE;
char *type = NULL;
+ if (num_svs == 0 && oname[0] != '<' && oname[0] != '>')
+ Perl_ck_warner_d(aTHX_ packWARN(WARN_DEPRECATED), "two-argument open(..., \"%s\")", oname);
+
PERL_ARGS_ASSERT_DO_OPEN6;
/* For ease of blame back to 5.000, keep the existing indenting. */
