Change 34670 by [EMAIL PROTECTED] on 2008/10/30 21:33:34
Subject: Re: [PATCH] [doc] be more explicit about magic argv
From: Moritz Lenz <[EMAIL PROTECTED]>
Date: Thu, 30 Oct 2008 20:30:00 +0100
Message-ID: <[EMAIL PROTECTED]>
Affected files ...
... //depot/perl/pod/perlop.pod#174 edit
... //depot/perl/pod/perlrun.pod#170 edit
Differences ...
==== //depot/perl/pod/perlop.pod#174 (text) ====
Index: perl/pod/perlop.pod
--- perl/pod/perlop.pod#173~33870~ 2008-05-19 09:08:57.000000000 -0700
+++ perl/pod/perlop.pod 2008-10-30 14:33:34.000000000 -0700
@@ -2246,6 +2246,18 @@
is magical. (The pseudo code above doesn't work because it treats
<ARGV> as non-magical.)
+Since the null filehandle uses the two argument form of L<perlfunc/open>
+it interprets special characters, so if you have a script like this:
+
+ while (<>) {
+ print;
+ }
+
+and call it with C<perl dangerous.pl 'rm -rfv *|'>, it actually opens a
+pipe, executes the C<rm> command and reads C<rm>'s output from that pipe.
+If you want all items in C<@ARGV> to be interpreted as file names, you
+can use the module C<ARGV::readonly> from CPAN.
+
You can modify @ARGV before the first <> as long as the array ends up
containing the list of filenames you really want. Line numbers (C<$.>)
continue as though the input were one big happy file. See the example
==== //depot/perl/pod/perlrun.pod#170 (text) ====
Index: perl/pod/perlrun.pod
--- perl/pod/perlrun.pod#169~34568~ 2008-10-24 09:35:48.000000000 -0700
+++ perl/pod/perlrun.pod 2008-10-30 14:33:34.000000000 -0700
@@ -655,6 +655,10 @@
lines printed. If a file named by an argument cannot be opened for
some reason, Perl warns you about it and moves on to the next file.
+Also note that C<< <> >> passes command line arguments to
+L<perlfunc/open>, which doesn't necessarily interpret them as file names.
+See L<perlop> for possible security implications.
+
Here is an efficient way to delete all files that haven't been modified for
at least a week:
End of Patch.