Timothy Legge <timle...@cpansec.org> writes: > [...] > File::Find::Rule through 0.34 for Perl is vulnerable to Arbitrary Code > Execution when `grep()` encounters a crafted filename. > > A file handle is opened with the 2 argument form of `open()` allowing > an attacker controlled filename to provide the MODE parameter to > `open()`, turning the filename into a command to be executed. >
FWIW, I've started a broader discussion on the future of 2-arg open on p5p at https://www.nntp.perl.org/group/perl.perl5.porters/2025/06/msg269996.html.
